This episode covers Issues 105 and 106 of The OSINT Newsletter and explores two very different sides of modern investigations: going deeper into the Dark Web for intelligence, and using AI to automate the repeatable parts of your workflow.

In Episode 18 of The OSINT Podcast, host Jake Creps picks up where Part One left off and takes investigators further into Dark Web intelligence - or DARKINT. He recaps the layered structure of the surface, deep, and dark web, then digs into the beginner toolkit: onion browsers, hidden services, public leak indexes, and onion search engines. Jake walks through a practical methodology for tracing identifiers - emails, usernames, and phone numbers - from breach data on the Dark Web back up to the surface, and explains how to correlate and validate findings without falling for false positives.

He also pulls no punches on the limitations. DARKINT is an adversarial, high-risk environment full of manipulated datasets, unverifiable attribution, and content that can stay with an investigator long after the browser is closed. The episode covers the compliance considerations of handling breached data and the psychological risks of working in this space - and why both deserve serious thought before diving in.

From there, the episode shifts to something brand new: building Claude Skills for OSINT. Jake explains what Claude Skills are - reusable, plain-language instruction sets that turn AI into a reliable part of your investigative workflow - and walks step-by-step through creating one for username search. No code required. He covers picking the right workflow to automate, writing the skill itself, testing it inside Claude Code with Sherlock, and refining it with simple natural-language tweaks.

The episode closes with a look at how to supercharge an OSINT skill: instructing Claude to pivot on its own findings, find new tools when collection hits a wall, and fall back to manual methods when scripts fail. It is a glimpse of what investigative automation actually looks like when AI stops being a novelty and starts doing real work alongside the analyst.

Highlights include:

🧅 DARKINT Toolkit – onion browsers, hidden services, leak indexes, and onion search engines explained for beginners curious about web spelunking.

🔗 Surface-Bound Pivots – a step-by-step methodology for tracing emails, usernames, and phone numbers from breach data back to the surface web.

⚠️ The Monsters Under The Bed – the real limitations of DARKINT, from manipulated datasets and unverifiable attribution to the psychological toll of the work.

🤖 Building Claude Skills – how to turn a repeatable OSINT workflow into a reusable Claude Skill, with a full walkthrough of automating a username search using Sherlock.

🚀 Supercharging Automation – instructing Claude to pivot on its findings, hunt for new tools, and fall back to manual methods when scripts come up short.

Whether the data is hiding in the dark or waiting to be unlocked by the right set of instructions, Episode 18 shows how modern investigators are reaching both.

References

• OSINT Newsletter – Issue 105

• OSINT Newsletter – Issue 106

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT and the Dark Web: Part Two

Let’s get started. ⬇️

OSINT News

📰 What happens when agentic AI meets intelligence analysis?

Agentic AI, Maltego MCP servers, conflict monitoring, and self-hosted intel platforms are opening up new possibilities for OSINT, but the tools only matter if the analyst knows how to turn information into intelligence.

🎩 H/T: Aaron Roberts

Read on LinkedIn…

📰 Vibe Coding Is Becoming an OSINT Risk

AI is making it easier to build and adopt OSINT tools, but the real risk starts when investigators trust software they do not fully understand to shape analysis, workflows, and operational decisions.

Read on DutchOSINTGuy…

🎩 H/T: Niko Dekens

📰 Turn Off ChatGPT’s New Ad Tracking

ChatGPT’s free tier is now opt-in to ad tracking and data sharing by default, linking user activity to marketing systems unless you actively turn it off in settings.

Read on Tate’s Online Safety Community…

🎩 H/T: Tate Jarrow

OSINT Tools

🔎 BamQam

A new OSINT-style dashboard that aggregates live geopolitical and military data into a map-based intelligence feed, with unclear provenance and trust level.

Web App

🔎 DrishX

A satellite-powered freight intelligence tool that uses open-source orbital imagery to detect and analyze logistics movement patterns like vehicle flow for OSINT-style monitoring and trend analysis.

GitHub

🎩 H/T: Sairaj Balaji

🔎 claude-osint

An OSINT automation framework built on Claude that structures investigative workflows for research and intelligence tasks.

GitHub

🎩 H/T: Sachin Sharma

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Creating Claude Skills for Open Source Intelligence

• Claude Skills allow you to automate a significant portion of your workflow using very specific instructions. In this issue, I’m going to show you how you can fully automate a username search, including pivoting to additional methods based on findings, all with a single request from Claude.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Gathering OSINT from Live Traffic: Datasets and Cameras

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

OSINT and the Dark Web: Part Two

Welcome (back) to the dark side. We have OSINT.

Although it looks dangerous, DARKInt it’s perfectly safe if you know how - and if you read last week’s issue, you probably do. Without further introduction, let’s go even deeper into Dark Web OSINT.

In Part Two, we’ll cover:

• The tools you need to know

• Strategies and limitations

• Following data to the surface

• …and how to fight the monsters under the Internet’s bed.

Don’t forget your flashlight.

Recap: What is the Dark Web?

If the internet is an iceberg, it has three layers: the surface, deep, and dark web.

• Surface Web: The normie ”internet”. Indexed by search engines like Google and Bing.

• Deep Web: The “invisible” 90% of the web you don’t need a specific tool to access. Online banking, private networks, and corporate systems live here.

• Dark Web: The unindexed 1-6% of the web, only accessible via specialised tools. Always anonymised, always encrypted.

What you find in this dark bottom layer - open-source or not - is dark web intelligence. So, think of Dark Web intelligence (or DARKINT) as OSINT’s emo little brother. Got it? Good.

A Beginner’s Guide to DARKInt Tools

To access the Dark Web, specific tools are required. Here’s a conceptual run-down of the best tools for beginners curious about traversing the depths. Of course, this overview is intended for educational purposes only, rather than encouraging active exploration as soon as possible - it’s best to think before you leap.

Browsers Are Like Onions

TOR is the most (in)famous of the bunch. Short for The Onion Router, TOR is too complex to unpack fully here. What’s more, we already did that last week.

Basically, onion browsers work by routing your connection through multiple encrypted layers - a bit like an onion - so no single point can trace your activity. The Dark Web’s sites then use .onion domains; “hidden services,” where both user and host are obscured. Instead of connecting directly, both sides layer up encrypted links via a shared rendezvous point on the TOR network, so nobody knows anybody else’s true IP This creates the built-in anonymity which makes the Dark Web so popular, keeping everything… under wraps (sorry).

Where’s The Leak?

We know one of the most common forms of DARKInt comes in the form of the humble data breach. Public leak indexes are one of the most beginner-friendly entry points into DARKInt, as they point users to large collections of said breached data.

Unlike raw breach dumps (a.k.a. the actual compromised data) leak indexes are designed for search and discovery, and act as directories or lookup tools, rather than hosting any data directly. They’re finding where data exists, and how it connects across leaks. Although datasets are traded, reused or repackaged across multiple Dark Web platforms, indexes can often find specific data whether it’s circulating across the Dark Web or in the wider web bloodstream beyond.

The usual caveats about breached data apply. There’s always a compliance problem when handling potentially stolen data, so treat any data you find as if it were your own.

Search Engines Are Like Onions Too.

These aren’t the Dark Web Google. If TOR is your vehicle into the Dark Web, onion search engines are more like a slightly unreliable sat-nav; this Garmin won’t get you there, but it might point you in the right direction. These tools don’t provide access to anything. Instead, they index and surface .onion sites, helping users discover hidden services they might not know about. Onion search engines:

• Index .onion domains and hidden services

• Enable keyword-based discovery (once you’re already using TOR)

Unlike TOR browsers (which actually connect you to sites) onion search engines sit a layer above like the onion’s outer skin, acting as discovery tools rather than access tools. And because the Dark Web is so transient (sites appear, disappear, or hide deliberately), these engines are best thought of as more treasure hunt than Google search. The coverage on the aforementioned Garmin is patchy, unstable, and often outdated. Still, it works when it doesn’t drive you into a lake - or an active volcano.

Tracing An Account Back to the Surface, Step-By-Step.

1. Use the tools above (indexes, search engines) to identify breaches.

2. Extract identifiers (email, username, phone number) from DARKINT sources.

   • You’ll need a Tor browser to access them.

3. Pivot using emails.

• Identify email accounts, recovery emails, and profiles just as you would as normal.

4. Look for usernames.

• Do the same for usernames - especially look for reuse across social media, forums, or gaming sites.

• Look for variations, and cross-reference matches as in light-mode OSINT.

5. Pivot using phone numbers.

• Investigate links to messaging apps, listings, or leaked records that use breached phone numbers.

6. Correlate findings.

• Always combine multiple data points to strengthen attribution.

Lastly… Validate carefully.

• Watch out for false positives, outdated, or manipulated data - on the Dark Web, these are all over the place

Key Limitations on DARKInt

If these two guides have made the dark, dirty web sound all sunshine and rainbows, now is the time to crush your dreams. There’s no unicorns skipping around down there. DARKInt has limitations, and plenty of them. Let’s meet the monsters under the Internet’s bed.

A High Risk Environment

Imagine a world where everybody hates each other. That’s kinda the Dark Web. DARKInt operates within an anonymised, adversarial ecosystem built to keep its infrastructure volatile, and access inconsistent. Elevated operational security risks are baked-in. Hidden services frequently appear and disappear, and interacting with them can expose investigators to threat just by virtue (or vice) of a click. Tread carefully.

False-Data Scam-O-Rama

Data quality is ‘highly unreliable’ to be polite. Breach dumps are often annoyingly duplicated, hopelessly outdated, trickily manipulated, or deliberately seeded with false facts. Financially motivated actors frequently distribute misleading datasets. At worst, you might end up involved in a particularly icky scam. At best, the overall signal-to-noise ratio can reach a hair-tearing level. Be patient.

Not Everything is Verifiable

So you have that ‘highly unreliable’ data. It might never become reliable. Attribution and validation are inherently limited on the Dark Web, where anonymisation layers and restricted visibility are the whole point. So much activity occurs behind closed doors - in closed networks or private exchanges - that datasets can’t always be corroborated or independently verified (outside of our dreams). Manage your expectations.

Seeing Things You Can’t Unsee

If you work recklessly in DARKInt, you’re playing psychological Russian roulette. You may encounter material that is disturbing, illegal, or just deeply distressing; content that stays with you long after you’ve closed TOR. When people are anonymous, they showcase the worst things humanity can do to each other. Even if you do everything right, you can end up seeing something deeply wrong. Have caution.

Key Takeaways

Our journey through the Web’s dark side is coming to an end. You should now know:

• All DARKINT is OSINT, but not all OSINT is DARKINT

• The tools beginners need to go web spelunking

• How to bring dark data into the light

• … and why the Dark Web isn’t where the unicorns live.

See you next issue, investigators!

🏁 New CTF Challenge Live - Covert Communication

A new CTF challenge has been posted on our CTF website. This week’s challenge involves analyzing a covert communications channel used by a suspected intelligence operative and finding the name of the location.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Dark Web DB” required participants to investigate a suspected data breach involving Quick, where a threat actor allegedly published a customer database on the dark web and uncover key details about the publication.

To solve the challenge, we need:

1. Copy & paste the onion link into Wayback Machine.

2. Then we filter the results by date and select 06 March of 2026. We get a result for 06 March 2026 at 08:01:04.

3. We click on it, looking at the forum, on the right corner, we can see a post regarding a french and Belgian database.

4. It says that it was published 10 mins ago, we can also see the username of the threat actor who published it, which is: sarkstic.

5. Knowing that the forum was crawled at 08:01:04 and that the post says 10 mins ago, the post was made at 07:51:04.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 103 and 104 of The OSINT Newsletter and focuses on two distinct but complementary areas: understanding the Dark Web as an intelligence source, and using live traffic data and cameras to build real-time situational awareness.

In Episode 17 of The OSINT Podcast, host Jake Creps opens with a foundational primer on Dark Web intelligence - or DARKINT. He breaks down the difference between the surface, deep, and dark web, explains how onion browsers and hidden services work, and outlines what investigators are likely to encounter when they go looking: breach dumps, criminal forums, paste sites, and shared credentials.

Jake covers the key distinction between OSINT and DARKINT - all DARKINT is OSINT, but not all OSINT is DARKINT - and explains why investigators combine both to build a complete picture of a target. He also addresses the compliance considerations that come with handling data sourced from the shadowy side of the net.

The episode then shifts to something more grounded - literally. Jake walks through how live traffic data can be used to gain situational awareness around a specific location or event. Starting with familiar tools like Google Maps and Waze, he explains how investigators can layer incident data, traffic flow, and police sightings before moving into more technical territory: the MapQuest Traffic API, the unofficial Waze API, and how to fuse multiple data sources into a single, custom solution.

From there, Jake covers live traffic camera feeds - manual methods via Department of Transportation sites, and API-based options like Road511 and Vizzion that allow investigators to build scalable, multi-location monitoring pipelines. The episode closes with a look at an unexpected bonus data source: rideshare apps, and the real-time vehicle location data sitting inside their public-facing interfaces.

Highlights include:

🧅 Dark Web 101 – surface, deep, and dark web explained, how onion browsers and hidden services work, and why Dark Web users are like ogres.

🕵️ DARKINT Data Types – breach dumps, criminal forums, paste sites, and what each means for an OSINT investigation.

🚦 Live Traffic Intelligence – using Google Maps, Waze, MapQuest API, and the unofficial Waze API to monitor incidents, road closures, and traffic flow in areas of interest.

📹 Traffic Camera Feeds – how to aggregate live camera feeds manually and at scale using Road511, Vizzion, and scraping methods.

The best investigators know how to follow the data wherever it leads - even into the dark, or down the road. Episode 17 shows you how to do both.

References

• OSINT Newsletter – Issue 103

• OSINT Newsletter – Issue 104

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT and the Dark Web: Part One

Let’s get started. ⬇️

OSINT News

📰 3 Basic but Overlooked Intelligence Analysis Techniques

Plot it on a map, lay it out over time, or group it by theme. Simple moves that surface patterns, gaps, and what matters without collecting anything new.

Read on LinkedIn…

🎩 H/T: Paul Prouse

📰 Mining China’s ‘Little Red Book’ for Open Source Gold

A breakdown of how Xiaohongshu can be used for investigations, from diaspora activity to censorship patterns, plus practical tips for search, language, and preserving content before it disappears.

Read on Bellingcat…

🎩 H/T: Chu Yang

📰 Hundreds of Fake Pro-Trump Avatars Emerge on Social Media

An investigation finds networks of AI-generated avatars posting pro-Trump content across major platforms, blending spam, engagement farming, and political messaging at scale.

Read on The New York Times… | No Paywall

🎩 H/T: Tiffany Hsu

OSINT Tools

🔎 CoJournalist

coJournalist lets reporters deploy AI “scouts” to track pages, social accounts, and public records, then distills updates into structured, cite-ready leads.

Web App

🎩 H/T: Tom Vaillan

🔎 Snapchat Bitmoji History

A simple tool that pulls past Bitmoji versions from a Snap profile and displays them in one place, building on earlier research and tooling.

Bookmarklet

🎩 H/T: Micah Hoffman

🔎 ImageWhisperer

ImageWhisperer analyzes uploaded media for AI generation and manipulation signals, producing a single verdict with evidence across multiple detection models.

Web App

🎩 H/T: Henk Van Ess

🏁 New CTF Challenge Live - The Dark Web DB

A new CTF challenge has been posted on our CTF website. This week’s challenge involves identifying a threat actor who published a database allegedly belonging to a French and Belgian fast-food chain “Quick” on the Dark Web. Your objective is to find the actor’s username and determine the exact timestamp of the original publication.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Crowd Control” where participants needed to estimate the number of people present in an auditorium by using a specific AI tool available publicly.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Gathering OSINT from Live Traffic: Datasets and Cameras

• Traffic datasets and live cameras give you situational awareness into areas of interest for an investigation. Whether it’s business continuity, executive protection, global travel, or something niche, this issue breaks down the options available to you in an actionable plan.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• What the Dark Web is

• The difference between surface, deep and dark web

• The kinds of data you’ll find

• OSINT vs. DARKINT

• …and why Dark Web users are like onions.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ OSINT Methods for Archiving and Searching Video by Keyword

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

While OSINT operates out in the open - it is open source intelligence, after all - some of the most significant data lurks in the dark corners of the internet. So this time, we’re getting shady with it. Dark Web intelligence (or DARKINT) is the hidden side of OSINT. It sounds dangerous; but it’s perfectly safe to step into the gloom if you know how. Let’s begin our two-issue trip into the shadows with an overview of Dark Web OSINT. In Part One, we’ll cover:

• What the Dark Web is

• The difference between surface, deep and dark web

• The kinds of data you’ll find

• OSINT vs. DARKINT

• …and why Dark Web users are like onions.

Let’s go dark.

What is the Dark Web?

The internet looks a little like an iceberg. It’s divided into multiple layers: the surface web at the top, the dark web at the bottom, and the deep web in the middle.

• Surface Web: The normie ”internet”. The stuff you use every day, that is indexed by conventional search engines (Google, Bing etc.), and easily searchable.

• Deep Web: Also known as the “invisible web” or “hidden web’. Unindexed and not easily searchable, but still accessible without a specialised browser. Content on the deep web includes online banking services, private networks and corporate systems. It makes up around 90% of the internet.

• Dark Web: Unindexed, encrypted, and only accessible with specialised tools like onion browsers. The Dark Web makes up somewhere between 1% and 6% of the internet; and unlike its deep cousin, it’s always anonymised. Data found on this layer is known as dark web intelligence (DARKINT).

The important thing to remember about the Dark Web is that it’s not a single place; it’s a collection of anonymous websites hosted on encrypted networks. Some of these networks play host to financial fraudsters, terrorist cells, CSAM, drug dealing and weapons sales.

But - despite the scare stories - not everything on the dark web is dodgy. Although many criminals do ply their wares on the internet’s dark side, it also has legitimate privacy-driven and anti-censorship use cases. For example, even major news outlets mirror their sites on the Dark Web, to give citizens secret access under harsh state censorship.

Onion Browsers and Hidden Services

To access the Dark Web, you’ll need special tools. Enter TOR: short for The Onion Router. Onion browsers like TOR are too complicated to explain in detail here; but they basically work by encrypting your connections through multiple layers - like the skin of an onion. Each layer only knows part of the journey, making it extremely difficult to trace your activities. What makes the Dark Web a-peel-ing (sorry) to its users is anonymity; and onion browsers have this built-in.

Meanwhile, websites on the Dark Web use .onion domains, too, meaning both the user and the host are completely obscured. These sites are officially called ‘hidden services’ - and without them, there’s no Dark Web.

Hosted within the TOR network, hidden services work similarly; both user and host build encrypted connections instead of linking up directly. Each hidden service will send out a descriptor on the TOR network, that’s discoverable to all users that know the .onion address. When users gain access to the site, they actually go to this rendezvous point - so neither side knows each other’s real IP. This process means mutual anonymity for everybody involved.

So in Shrek terms, Dark Web users are the ogres of the internet. They’ve got layers.

DARKINT: What Will You Find on the Dark Web?

From an OSINT perspective, the most important part of the Dark Web will always be the data we meet along the way. But what data types can you expect to find on the shadowy side of the net? Here’s what’s usually lurking down there.

Data Leaks and Breach Dumps

One of the most valuable (and most common) forms of DARKINT is the good old breach dump. Compromised data - leaked logins, for example - proliferates all over the Dark Web. You can find:

• Email and password combinations

• Usernames and aliases

• Phone and mobile numbers

The boon with breach dumps is they often “package” multiple data points together; terrible for the subjects’ anonymity, but perfect for OSINT pros piecing together an identity profile. These datasets can even be traded, reused or repackaged across multiple Dark Web platforms. However, it’s important to bear in mind the compliance problem when handling potentially dirty data.

Forums and Marketplaces

Remember the fraud, drugs and guns we discussed earlier? Those Dark Web forums and marketplaces are central to the hidden net’s ecosystem; although they’re dangerous and damaging for the offline world, they allow OSINT investigators to catch bad guys in the act. Cybercriminal activity can include:

• Discussion of terrorist activities

• Organising financial fraud

• Buying and selling personal data

• “Service” marketplaces (drugs, guns, porn etc)

Even though the Dark Web is anonymised, it can still provide data that unmasks serious criminals. Many investigations have been cracked with DARKINT - exposing heinous offenders including child sexual abusers.

Paste Sites and Shared Credential

Paste sites - like Pastebin - are social media platforms that allow their users to dump large quantities of plain-text data online. They were created as innocent spaces for coders to share snippets of work, but have become increasingly popular with threat actors as a staging ground for dangerous activity.

These are often used to share sensitive information from stolen credit card details, to malware, to exploit code. Although they aren’t often persistent, they can still be full of data that gets widely distributed - data that can also be crucial for OSINT.

OSINT vs DARKINT

All DARKINT is OSINT, but not all OSINT is DARKINT. OSINT includes the publicly accessible, indexed or easily reachable by the normie-net data. Meanwhile, DARKINT is just the hidden, encrypted data that only specialised Dark Web tools can dig up.

The question remains, however: why risk digging into DARKINT at all? Surely - unless you’re fighting cybercrime - the Dark Web is more risk than reward? Well, whilst OSINT tells you what’s going on out in public, DARKINT exposes what netizens intentionally work to hide. In practice, most investigators will combine OSINT and DARKINT to find all the data they need.

Key Takeaways

So, now you’ve taken your first steps into the shadowy side of the internet known as the Dark Web. You should now know:

• The Internet is like an iceberg - 90% is below the surface

• The Dark Web isn’t all dodgy; it does have legitimate uses

• All DARKINT is OSINT, but not all OSINT is DARKINT

• … and DARKINT investigators are like onions - they have layers.

See you next issue, investigators!

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

🏁 New CTF Challenge Live - Crowd Control

A new CTF challenge has been posted on our CTF website. This week’s challenge involves estimating the number of people in a photograph from the 2024 NATO Summit using a specific tool.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Digital Footprints” where participants needed to identify the domains linked to a specific email address using only OSINT techniques.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 101 and 102 of The OSINT Newsletter and focuses on two practical areas of modern OSINT: mapping a target’s digital footprint using a comprehensive open-source framework, and extracting intelligence from video content at scale.

In Episode 16 of The OSINT Podcast, host Jake Creps opens with a deep dive into TheBigBrother, a GitHub-based OSINT framework that consolidates username enumeration, reverse image searching, network scanning, dark web lookups, EXIF extraction, crypto tracing, and more into a single tool. Jake walks through setup, core modules, and the real investigative value it offers - from identity correlation and social media pivoting to red teaming and privacy audits.

He then moves into one of the more underrated challenges in OSINT: working with video. Jake breaks down how to extract transcripts from YouTube and TikTok using tools like YouTube Transcript API and TokScript, and explains how to scale that process across dozens or hundreds of videos using open-source libraries and lightweight custom tooling.

Once video content is converted to text, the episode shows how to make it searchable - combining local search methods, Obsidian vaults, and LLMs to analyse transcripts at scale and produce actionable intelligence outputs.

Along the way, the episode reinforces a core principle: tools support collection, but intelligence requires analysis. Knowing how to build the pipeline is only half the work - knowing what to do with the output is what separates a collection exercise from actual OSINT.

Highlights include:

🔍 TheBigBrother Deep Dive – a full walkthrough of the framework’s modules including Profiler, Footprint, Net Scan, Dark Web, EXIF, Dorks, and Sky Radar, with practical use cases for each.

🎥 Video Transcript Extraction – how to pull transcripts from YouTube and TikTok one at a time and at scale using YouTube Transcript API, TokScript, and the Summarize library.

📂 Searching at Scale – combining transcribed video content with local search tools, Obsidian, and LLMs to surface patterns and produce intelligence reports.

Whether you’re tracing a username across the internet or digging through hours of video evidence, Episode 16 gives you the tools and workflow to do it efficiently.

References

• OSINT Newsletter – Issue 101

• OSINT Newsletter – Issue 102

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ A deep dive into TheBigBrother, a comprehensive OSINT framework

Let’s get started. ⬇️

OSINT News

📰 Geolocating Taliban in the Afghan Desert

Ben walks you through a recent investigation he did in the Afghan desert. He steps through how he identified a base, tracked a flight, located a soldier drop off point, finding a dune strike location, and more.

Read on LinkedIn… | YouTube

🎩 H/T: Benjamin Strick

📰 How OSINT Verifies Viral Claims During Wartime Chaos

This video shows how to analyze a viral Reddit claim that Iran bombed its own girls’ school by identifying manipulation signals, evaluating online actors and naming patterns, comparing search results, and verifying wartime claims using government sources, fact-checkers, verification outlets, and cross-model AI.

Watch on YouTube…

🎩 H/T: Kirby Plessas

📰 How Wildlife Traffickers Are Using Coded Language to Sell Protected Animals On Facebook

Foeke walks through how to identify coded language on Facebook Marketplace that indicates the sale of protected animals, including screenshots and other evidence collected.

Read on Bellingcat…

🎩 H/T: Foeke Postma

OSINT Tools

🔎 OSINT Rack

OSINT Rack is a collection of OSINT tools categorized by use case, blog posts, courses, books, events, and more.

Web App

🎩 H/T: Mario Santella

🔎 Tor Node Archive

Tod Node Archive gives you insight into the world of Tor Nodes with a search engine, downloadable dataset, and a changelog.

Web App/Dataset

🎩 H/T:

🔎 CrowdCounter

CrowdCounter estimates how many people are in a photo, saving you the time it takes to count manually. Too bad it doesn’t have an API, Henk!

Web App

🎩 H/T: Henk Van Ess

🏁 New CTF Challenge Live - Digital Footprints

A new CTF challenge has been posted on our CTF website. This week’s challenge involves identifying multiple domains linked to a well-known threat actor using only its email address.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Tracing the Source” where participants needed to identify the username of the Telegram channel that published a promotional message and the name of the telegram channel that was promoted in that message, using only OSINT techniques.

Solution WU :

To solve this challenge, we need to use https://deaddrop.theosintconsultants.com/ to locate the original Telegram message.

By enclosing the message in quotation marks for an exact search (e.g., (”نات ابعثولي الخاص...”) and applying a date filter corresponding to the timestamp (From: 2026-04-01 To: 2026-04-01), we were able to pinpoint a search result that displayed:

• The username of the channel that posted the message

• The content of the message

• The username of the promoted channel

This method allowed us to identify the Telegram channel solely using the message content and the timestamp, as required by the challenge.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ OSINT Methods for Archiving and Searching Video by Keyword

• Learn tools, tactics, and techniques for processing information from videos in a way that’s searchable at scale.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

🎁 It’s been a while since a paid subscription of The OSINT Newsletter went on sale. Recently, the newsletter crossed the 32,000 subscriber mark. To celebrate, here’s a 50% off discount.

50% Off

Here’s what you’ll get access to by upgrading now:

• Access to the entire newsletter archive of paid content with over 100 issues of tools, tactics, and techniques.

• Continuously improve your skill set with the latest OSINT methods to discover more, be more efficient, and bring more value to your organization or mission.

Thanks for your support.

Click here to get 50% off The OSINT Newsletter👇

Get Better at OSINT for $40

🚨 This is the first post in the return of OSINT Tool Tuesday, an ongoing series of tool review deep dives aimed at helping investigators improve their tool kit. I understand it’s Thursday… we will be publishing these on Tuesdays moving forward!

TheBigBrother

TheBigBrother is a GitHub project that offers a comprehensive OSINT framework designed to investigate an individual’s digital footprint across the internet, enabling users to gather information such as associated usernames, social media profiles, metadata, and other publicly available intelligence. Essentially, it’s a username tool on steroids.

🎩 H/T: Chadi0x

TheBigBrother allows you to search primarily by username, while also supporting a range of modules including email lookups, domain intelligence, metadata extraction (EXIF), and cryptocurrency tracing.

It brings together multiple OSINT techniques into a single toolkit, making it a valuable resource for investigations across law enforcement, cyber security, corporate intelligence, executive protection, and online threat analysis.

In this guide, I’ll walk you through how to set up The Big Brother, how to use the tool, practical use cases you can apply it to, and key pivot points you can leverage from the information it uncovers.

Let’s get started. ⬇️

Setup

Recommended = Docker Method

The easiest way to get The Big Brother up and running is by using Docker, which handles all dependencies and environment configuration for you.

Prerequisites

Before you begin, make sure you have installed:

• Docker

• Docker Compose

You can verify installation with by typing these commands into your terminal:

docker --version

docker-compose --version

Step 1: Clone the Repository

On your terminal, run:

git clone https://github.com/chadi0x/TheBigBrother.git

cd the-big-brother

Step 2: Launch TheBigBrother

Run the following command to build and start the tool:

docker-compose up --build

This will:

• Build the Docker image

• Install all required dependencies

• Launch The Big Brother environment

MANUAL SETUP

If you prefer not to use Docker, you can install and run The Big Brother locally using Python.

Prerequisites

Make sure the following are installed:

• Python 3.8+

• Git

• pip

You can verify with:

python3 --version

git --version

pip3 --version

Linux/MacOS Setup

1. Create a virtual environment

python3 -m venv venv

source venv/bin/activate

2. Install Dependencies

pip install -r requirements.txt

playwright install chromium

3. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Windows Setup

1. Install Dependencies

pip install -r requirements.txt

playwright install chromium

2. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Next Steps:

Once running, open your browser and go to:

http://localhost:8000

You’ll see the The Big Brother web interface, where you can:

• Enter usernames

• Run modules

• View results visually

Now, let’s dive into TheBigBrother usage and use cases.

Usage

Now that we’ve covered the basics, let’s dive into some of the core modules within The Big Brother and how you can use them in OSINT investigations.

Profiler

The Profiler module is designed to build a high-level overview of a target by aggregating information from multiple sources into a single profile.

This can include:

• Usernames

• Social media accounts

• General online presence

Example:

python3 thebigbrother.py --profiler testusername

This will produce a consolidated view of the target, helping you quickly understand who you’re dealing with.

On the web interface, you can enter a target identifier (username, email address, phone number). Associated profile images will appear in the blank space above.

🗒️ This is a great starting point before diving deeper into specific modules.

Footprint

The Footprint module focuses on identifying where a username exists across the internet.

Example:

python3 thebigbrother.py --footprint testusername

This will:

• Enumerate accounts across platforms

• Highlight reused usernames

• Map out digital presence

As you can see, our test on the web interface brought up 7 platforms linked to our email address.

🗒️ Use this to identify pivot points into other tools or manual investigation.

Net Scan

The Net Scan module is used for gathering network-level intelligence.

Example:

python3 thebigbrother.py --netscan example.com

This may return:

• IP addresses

• Open ports

• Hosting/provider information

Our YouTube example on the web interface brought up the below network information:

🗒️ Useful for infrastructure mapping and identifying related assets.

Dark Web

The Dark Web module attempts to identify whether a target appears in:

• Data breaches

• Leaked databases

• Dark web mentions

Example:

python3 thebigbrother.py --darkweb test@email.com

This can help uncover:

• Compromised credentials

• Exposure risks

• Historical leaks

You can enter a keyword e.g. a leak or database into the web interface search bar as below:

Crypto

The Crypto module is used to analyse cryptocurrency wallets and transactions.

Example:

python3 thebigbrother.py --crypto <wallet_address>

This may reveal:

• Transaction history

• Wallet activity

• Links to other wallets

On the web interface, simply enter the wallet address in question into the search bar below (bitcoin or ethereum).

🗒️ Particularly useful in fraud, ransomware, or financial investigations.

SSL

The SSL module gathers intelligence from SSL certificates.

Example:

python3 thebigbrother.py --ssl example.com

This can uncover:

• Associated domains

• Certificate details

• Infrastructure links

🗒️ Great for finding hidden or related domains tied to a target.

EXIF

The EXIF module extracts metadata from images.

Example:

python3 thebigbrother.py --exif image.jpg

This may include:

• GPS coordinates

• Device information

• Date/time data

As in our web interface example, you won’t always get detailed information.

🗒️ Extremely useful when analysing images from social media or leaks.

Dorks

The Dorks module leverages advanced search queries (Google Dorking) to find indexed information about a target.

Example:

python3 thebigbrother.py --dorks testusername

This will generate queries to uncover:

• Public documents

• Exposed data

• Indexed profiles

🗒️ Helps surface information that isn’t easily found through direct searches.

GEOINT

The GEOINT module focuses on geographic intelligence.

Example:

python3 thebigbrother.py --geoint <location_or_image>

This may help:

• Identify locations from images

• Analyse geographic patterns

• Support situational awareness

Our web interface search produced various location insights from various different sources, ideal for corroboration.

🗒️ Useful for uncovering location-based insights from images, videos, and geographic data.

Sky Radar

The Sky Radar module is used for aviation-related intelligence.

Example:

python3 thebigbrother.py --skyradar <flight_or_aircraft>

This can provide:

• Flight tracking data

• Aircraft information

• Movement patterns

🗒️ Useful in niche investigations involving travel, logistics, or tracking assets.

Use Cases

TheBigBrother is essentially a username intelligence + image correlation tool that:

• scans hundreds of platforms (~400+) for usernames

• pulls profile images

• runs automated reverse image searches across multiple engines

That combination is best for identity linking, username pivoting, and avatar-based correlation.

The bottom line? It shines in early-stage investigations, when you’re trying to answer: “Where else does this person exist online?”

Where this tool is actually useful in OSINT:

Identity Correlation/linking accounts

If you start with a username or even just a profile image, you can find matching usernames across platforms, confirm links using reused profile pictures, and cluster accounts belonging to the same person.

Social Media Investigations

The tool accelerates what analysts normally do manually i.e. searching usernames across platforms, comparing profile photos and running reverse image searches separately. With this automated, you can quickly find forgotten/old accounts, identify niche platforms, and uncover behaviour patterns across platforms.

Reverse Image Pivoting

This is, in our opinion, an underrated use of the tool. Essentially, because it auto-runs reverse image searches, you can detect reused avatars across multiple accounts, spot fake personas using stock/AI images, and find the original source of a profile image. This is useful for catfish investigations, scammer tracking, or simply verifying whether a persona is real.

Threat Intelligence / Cyber Investigations

In cyber threat intel, attackers often reuse usernames, avatars, and branding. TheBigBrother helps pivot from a known handle to a broader footprint, and can identify presence on GitHub, forums, marketplaces, and social platforms.

Red Teaming / Privacy Audits

Security teams can use this tool to understand what an attacker could discover publicly via simulating how easily identities can be correlated and identifying OPSEC failures such as username and avatar reuse.

🏁 New CTF Challenge Live - The Insider

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on Local search methods. Your task is to identify the username of an insider who plans to target a company with ransomware and also determine the targeted company name.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Hacktivist”.

Solution WU :

Using Twitter Viewer - View Twitter Without Account and typing the username of the X account “RepresaliaNet” we could browse the posts made by the threat actor without having an account.

While browsing the posts, we could notice that one of the posts published on Nov 28, 2024 contains the username : YourZer321-PVC

Scrolling further, we could see that the first post date was : 25/09/2024

To find the country we needed to have an account (Sock Puppet). By clicking on “about this account”, we could see that the account was based in : Uzbekistan

✅ That’s all for this issue of The OSINT Newsletter. Thanks for reading and supporting this publication with a paid subscription.

💡 Remember OSINT != tools. Tools help you plan and collect data but the result of that tool is not OSINT. You must analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be called intelligence.

This episode covers Issues 99 and 100 of The OSINT Newsletter and focuses on two essential aspects of modern OSINT: processing large datasets locally using efficient tools, and developing your investigative skill set through consistent, ethical practice.

In Episode 15 of The OSINT Podcast, host Jake Creps explores offline OSINT from first principles, breaking down why traditional tools fail when dealing with investigative scale data. The episode explains how local search tools operate without loading entire datasets into memory, allowing investigators to extract key information from massive files quickly and efficiently.

Jake walks through core command line techniques used in local analysis, including grep for pattern matching, csvkit for structured data filtering, and tools like awk and jq for processing and transforming datasets. By combining these tools, investigators can build lightweight pipelines that turn raw data into usable intelligence.

The episode then shifts from tools to mindset, focusing on how investigators actually develop their skill set over time. Rather than relying on theory alone, Jake outlines practical, repeatable methods for improving as an OSINT practitioner.

He explores how collecting and sharing tools builds familiarity with the ecosystem, why writing and teaching methods reinforces understanding, and how small scale investigations such as analysing spam emails can provide valuable repetitions without ethical risk.

Jake also discusses the importance of applying OSINT for real world impact, highlighting opportunities to support non profit investigations and contribute to meaningful causes. Alongside this, the episode covers personal OPSEC, showing how investigators can use their own techniques to audit and reduce their digital footprint.

Along the way, Jake reinforces a core principle of OSINT: tools enable collection, but intelligence comes from analysis. Mastery comes from repetition, not novelty.

Highlights include:

📂 Offline OSINT – Working with Local Data – how to search and analyse massive datasets using tools like grep, csvkit, awk, and jq without overwhelming your system.

🧠 Building Your OSINT Skill Set – practical methods for improving as an investigator through repetition, teaching, tool discovery, and low risk investigations.

🛠 Tools in Focus – grep for fast pattern matching, csvkit for structured data handling, and command line workflows for scalable data processing.

Throughout the episode, the focus stays on practical investigative thinking. Data reveals patterns. Practice builds intuition. And the best investigators know how to combine both.

If you want to improve how you handle large datasets and develop your OSINT skill set in a structured, ethical way, Episode 15 is for you.

References

• OSINT Newsletter – Issue 99

• OSINT Newsletter – Issue 100

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Offline OSINT: Local Search Tools and Methods

Let’s get started. ⬇️

OSINT News

📰 Public GitHub Repositories from News Organizations

Open Journalism delivers a biweekly update of open source projects published by news organizations. Sometimes tools, datasets, or other useful bits of information, make sure show your support for this great project.

Read on Open Journalism…

🎩 H/T: Scott Klein

📰 Changes in Google Programmable Search Engines

There are changes coming to custom search engines in Google. They will no longer have the option to do a full web. Many OSINT tools are built on the back of custom search engines. If you use any, it might be time to diversify.

Read on LinkedIn…

🎩 H/T: Henri Beek

📰 Open-source intelligence shuts down

This article highlights something I’ve mentioned often, becoming too reliant on datasets being available and eventually being disrupted by changes. Satellite images of the area affected in the ongoing war in Iran have been blocked or removed. Many research projects rely on regular access to these images for humanitarian purposes or otherwise.

Read on The Economist… | No Paywall

OSINT Tools

🔎 WireTapper

This is a niche tool. It may even be somewhat of a grey tool. Using the Wigle, WPA Sec, OpenCellID, and Shodan API keys, WireTapper provides insight into location-based technical data from passive sources.

GitHub

🎩 H/T: h9zdev

🔎 Deaddrop

Another Telegram search engine. Always build redundancy. Search for content within a scraped Telegram archive and find information that isn’t indexed by search engines.

Web App | LinkedIn

🎩 H/T: The OSINT Consultants

🔎 LootBin

Termbin is like Pastebin but through the command line. LootBin helps you gather information from Termbin, another source not indexed by search engines.

GitHub

🎩 H/T: gustqvo432

Note: There seems to be some suspicious code in the Windows version of this tool. Do not install it. Instead, understand the concept educationally.

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡5 Ethical Ways to Develop Your OSINT Skill Set

• Developing an OSINT skill set is valuable for a variety of roles. I’ve seen OSINT used everywhere from recruiting for HR departments to tracking Elon Musk’s airplane. If you’re looking for ways to build your skill set ethically, you’ve come to the right place. If you practice all 5 methods even once, you’ll be noticeably better.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• How to search large datasets locally

• Command-line search methods

• Pro tools for processing structured data

• …and everything you need to know about analysing large files.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Collecting Information from Local Sources in an OSINT Investigation

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Offline OSINT: Local Search Tools and Methods

Not all OSINT happens on the internet. Sometimes the most valuable insights come from something you’ve already got downloaded; and every OSINT investigator has heaps of exported spreadsheets and datasets on file to work with. But when you’re archiving everything, it’s easy for your collection of documents - or even the size of the datasets themselves - to get huge.

But processing data with the wrong tools can be a real drag. If you’ve ever tried to open a 3GB CSV file in Excel, you already know the pain. Standard office tools simply weren’t built for investigative-scale datasets - and that’s where local device search tools come in.

Let’s get into local search.

What is Local Search?

OSINT investigators often end up working with big datasets. Breach dumps, scrapes, exports and archives can mount up, with a single file easily containing millions of rows. A rookie investigator will usually try to open these with traditional spreadsheet software (think Microsoft Excel); only to find it crashes instantly or slows to a stop. In turn, searching through a dataset is even more of a struggle. It’s possible, but it’s extremely painful.

Local device search tools are made to solve this problem. They scan the files directly, without loading everything into memory and making themselves sluggish. Instead of manually scrolling through data, you can extract exactly what you need in seconds - like pulling from a digital library catalog, rather than searching shelf-by-shelf.

Searching vs. Processing: How to Handle Large Files

The tools we’re about to talk about are all naturals at searching big files. But what if you want to do more than just search? Then you need processing power. If you want to:

• Extract all email domains from a breach file

• Identify the most common usernames in a dataset

• Count how many times a specific organisation appears

• Separate valid data from corrupted rows

Then clearly, just search won’t cut it. Luckily, command-line processing tools excel at these tasks because they’re designed for automation and scale. Many investigators will even combine the tools we’re about to discuss together; mixing and matching methods and modules lets you build data- processing pipelines that perfectly fit your needs.

For example, you might search up a keyword with grep, then use awk to count the matches. If it sounds like we’re talking nonsense… let’s learn what the grep we’re on about.

grep: The Text Search Tool

grep (short for global regular expression print) is one of the most popular local device search tools in the OSINT community. It’s a Unix command-based search, localised to your device; grep scans text files for matching patterns, and returns every line containing your query.

It’s fast, simple, and extremely powerful when working with large text-based datasets. The perfect way to surface those pesky data points when they’re swamped. Use grep to search files for:

• Email addresses

• Phone numbers

• Domain names

• Usernames

• Keywords related to your investigation

For example, if you wanted to search a breach file for a particular email address, grep could scan millions of rows for it almost instantly.

On top of this, grep can also do pattern matching. This means you can search for entire categories of data, too, as well as exact words; any email address ending in a particular domain, for instance. Because it reads line-by-line rather than loading files fully, grep can comfortably handle big datasets that would blow up normal apps.

csvkit: Making Sense of Spreadsheets

Most OSINT datasets are stored as CSV files. CSV stands for “comma separated values,” and it’s one of the most common formats for structured data exports. Breach databases, scraped content, and research datasets are frequently distributed this way. Usually, CSV means spreadsheets; but even programs that don’t seem like spreadsheet apps will often offer CSV as an output file type.

But CSV files grow big, fast. To deal with this, you need a tool specially designed to deal with CSVs - without opening them and overloading your machine. csvkit is such a tool; it works from the command line to search, filter, and analyse spreadsheets without opening. Instead of scrolling through millions of rows, you can:

• View column headers instantly

• Filter rows based on conditions

• Extract specific columns

• Convert files into other (more manageable) formats

For example, if a sheet has three columns full of usernames, IPs, and emails, csvkit allows you to isolate just the column you need and ignore the rest. Makes it much easier to focus on each different data point methodically without getting distracted.

More Tools for Local Data

Beyond grep and csvkit, several other lower-case-named tools are popular in pro OSINT workflows. They might have a disregard for grammar rules, but they’re great at handling big datasets - searching, processing, analysing, and more.

• ripgrep: ripgrep is designed to make grep commands even quicker and easier with little changes; automatically ignoring irrelevant files, like binary data for example. If you have a whole folder of datasets, ripgrep will whip through that entire directory structure - stat.

• awk: like grep and sed, awk is a command-line filter. More general than grep, it’s often used for processing structured data - and can handle different commands and modifications than its cousins.

• jq: described as “sed for JSON data”. Sometimes, datasets are stored in JSON format rather than CSV, making them much more difficult to read manually. jq can search and pull out specific fields from JSON data turning messy machine-readable files into human-readable intel.

• SQLite: When a dataset gets super big, it’s sometimes easier to import it into a lightweight database than leave it standalone. SQLite lets you do this. Plus, it’s already the most used database engine in the world.

Example: Local Search in Action

this time, imagine you are a professional osint analyst, working with a dataset containing millions of logins. but something seems wrong. immediately, you realise - all the data appears in lowercase.

somebody has stolen all the capital letters, and the issue is spreading. you need to find out when, and how.

step one: search

first you need to confirm that the capitals have gone. using grep, you scan the dataset for a username you know should be capitalised. Here, every instance appears in lowercase - confirming the capitals aren’t where they should be.

step two: process

next, you process the data for evidence. you use awk to analyse patterns across the dataset - counting the examples of that de-capitalised username, and identifying other entries that should have been capitalised. you begin to question the thief’s motives.

step three: structured analysis

you isolate each column with cvskit, and work through each methodically: usernames, email addresses, dates, checking each for formatting issues. the loss has occurred consistently across all fields. seeing the scale of the crime disturbs you.

step four: check other formats

Finally, you run jq on an older version of your dataset. these files still contain capital letters - meaning the dataset was just corrupted during the csv export.

as for the issue spreading… you need a new keyboard.

Key Takeaways

So, now you know the basics of local search. By now you should be able to:

• Search: Use commands to find specific data points

• Process: Execute more complex commands to make your life easier

• Analyse: Work with tools to identify patterns and pivot

• type: ignore automatic capitalisation and write in lower case

See you next time, investigators!

🏁 New CTF Challenge Live - The Hacktivist (2 Parts)

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the hacker username of a threat actor, the date of their first post announcing the start of a cyberattack and the country in which the account is actually operated, using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Trace The IP”. Here is the solution:

Using IP Lookup | Find Your Public IP Address Location and searching for 151.202.95.130 we could see that the IP was linked to several cities : Tuckahoe, Bronxville, New York, Eastchester, Yonkers. Formatting them in alphabetical order gave us : Bronxville, Eastchester, New York, Tuckahoe, Yonkers.

Looking at the ISP we could see that it was Verizon Business.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 97 and 98 of The OSINT Newsletter and focuses on two critical aspects of modern OSINT: understanding how IP addresses reveal the movement of data across the internet, and how investigators can gather intelligence from a specific location even when they are nowhere near it.

In Episode 14 of The OSINT Podcast, host Jake Creps explores IP address OSINT from first principles, explaining how IPs function as the routing system of the internet. The episode walks through the difference between user IPs and server infrastructure, why dynamic IP addresses constantly change hands, and how static infrastructure can reveal patterns behind suspicious activity.

Jake then breaks down several investigative techniques used in IP analysis, including reverse IP lookups, passive DNS research, IP geolocation, and identifying traffic routed through VPNs and Tor nodes. When combined with timestamps and behavioural patterns, these signals allow investigators to reconstruct the path digital activity has taken across networks.

The episode then shifts to a different but equally important challenge: local OSINT investigations. Some investigations require extremely targeted intelligence from a specific city or region. In those cases, investigators must replicate the local internet environment in order to see the same results a local user would.

Jake explores how investigators can use VPNs and browser location manipulation to appear local, allowing search engines, advertisements, and recommendation systems to reveal location specific information. From there, he discusses how to build local intelligence feeds by aggregating small regional publications, government websites, and community sources into a single stream using RSS readers and alerting tools.

The episode also looks at analysing activity around physical locations using Google Maps “Popular Times” data, showing how investigators can detect patterns and unusual activity around businesses or venues without ever being physically present.

Along the way, Jake highlights several useful OSINT tools and resources including Dark Light Viewer, Twitter Viewer, and GeoSentinel, while also touching on developments in AI driven investigations and evolving OPSEC considerations.

As always, the emphasis remains on method over novelty. Infrastructure reveals behaviour. Location reveals context. And the best investigators know how to follow both.

Highlights include:

📦 IP Address OSINT – Following the Packets – how IP addresses function as the routing system of the internet, why dynamic IPs complicate attribution, and how reverse IP lookups and passive DNS can reveal hidden infrastructure.

🌍 Local OSINT Investigations – techniques for collecting intelligence from a specific place remotely using VPNs, browser configuration, local news aggregation, and location specific data sources.

🛠 Tools in Focus – Dark Light Viewer for satellite light comparison, Twitter Viewer for footprint free browsing of X profiles, and GeoSentinel for tracking global movement across maritime and aviation data.

Throughout the episode, the focus stays on practical investigative thinking. Infrastructure creates patterns. Location creates context. And when both are understood together, digital activity becomes much easier to trace.

If you want to strengthen your understanding of IP address investigations and location based intelligence gathering, Episode 14 is for you.

References

OSINT Newsletter – Issue 97

OSINT Newsletter – Issue 98

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Return to Sender: OSINT With IP Addresses

Let’s get started. ⬇️

OSINT News

📰 Exploring a Secret Underground OSINT Marketplace

This issue of The OSINT Insider is a treasure trove of useful information for OSINT practitioners covering topics from new OSINT tools and datasets.

Read on OSINT Insider…

🎩 H/T:

📰 I Built an OSINT Agent Skill to Expose Your Digital Tattoo

OPSEC isn’t just about what you post online, it’s about what happens to the content after you post. This issue of The Secure Circuit covers an OSINT tool that helps you cover your tracks and also find the tracks of others.

Read on The Secure Circuit…

🎩 H/T:

📰 AI for OSINT Investigations: Turning Data Chaos into Intelligence

It’s 2026, AI is here and you’re going to use it whether you want to or not. Generic AI tools like GPT and Gemini may not be great for OSINT; however, AI within OSINT tools is a different story.

Read on Project OSINT…

🎩 H/T:

OSINT Tools

🔎 Dark Light Viewer

Compare nighttime light levels across any location on Earth, across any period from one month to ten years.

GitHub

🎩 H/T: Benjamin Strick

🔎 Twitter Viewer

View a Twitter (X) profile without having to log in. See posts and media without leaving a footprint.

Web App

🔎 GeoSentinel

Track global movement in real team; from maritime to aviation. Review in geospatial tooling.

GitHub

🎩 H/T: H9

Description

Scenario

A potential IP address associated with a French threat actor has been identified. Further investigation is required to determine the ISP name and the cities linked to this IP address in order to support attribution and ongoing analysis.

Challenge Objective

Your task as an OSINT analyst is to find :

• The cities linked to this IP (in alphabetical order).

• The ISP name.

🏁 New CTF Challenge Live - Trace The IP

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the ISP name and the cities associated with a specific IP address using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Wi-Fi Password”. Participants needed to identify the the password of a suspicious Wi-Fi using only open source intelligence tools and techniques.

Solution:

• Searching for : epstein property Florida on google brings us to the wikipedia page where the address is displayed

• Looking at the address we notice that it’s in Palm Beach

• Using 🔎 p3Wifi Free WiFi map - p3wifi and searching for the Palm Beach area we notice a weird Wi-Fi named SteinStein with the password visible in clear, located in front of a store named LaMuse which is exactly 0.7 miles and 3 minutes away from Epstein’s property when checking it on google maps with itinerary search.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Collecting Information from Local Sources in an OSINT Investigation

• The internet reacts to where you are in the world. You can trick the internet into thinking you’re somewhere else. Once you do that, your entire browsing experience changes. I discuss this, local news aggregation, and mining “Popular times” from Google Maps in this issue of The OSINT Newsletter.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• Introduction to IP addresses.

• How to investigate an IP address.

• A step-by-step process for IP investigation.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Organizing Information and Avoiding Duplication of Effort

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

The internet is like a big mail service. Every time somebody logs into their account, clicks on to a link or loads up a site, the data for that action gets parcelled up and shipped across the web. If domains are street names, IP addresses are the house numbers that actually direct the parcels to the right home. And like regular mail, the whole process leaves a trace behind.

Of course, stealing people’s mail is a felony (and a great punk track) - but that doesn’t mean you can’t get valuable OSINT from tracking its journey. If you know how to read IP addresses, they can tell you where traffic travelled, what infrastructure handled it, and whether someone tried to hide the sender.

In this issue, we’re following the packets. We’ll cover:

• The basics of IP addresses

• How IPs can change (and why that matters)

• Reverse IP lookups

• Geolocation with IPs

• ..plus all about VPNs and Tor traffic.

Now, let’s check the labels.

What Is an IP Address?

An IP address (short for Internet Protocol address), is a numerical identifier assigned to each device or server connected to a network. Think of it like a shipment number. It can either look like:

• IPv4: The old faithful. Appears as four blocks of numbers separated by dots, e.g. 192.168.1.1.

• IPv6: The longer, newer format, becoming increasingly common as the internet runs out of IPv4 space. Appears as eight blocks of numbers separated by colons, e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334

In OSINT terms, you can divide all kinds of IPs into two categories: User IPs, and Server IPs. A user IP belongs to a device connecting to a service. Meanwhile, a server IP belongs to infrastructure hosting websites, apps, or mail networks. Confusing the two is like mistaking a sender’s return address for a warehouse location.

IP addresses aren’t as stable an identifier as email addresses, for instance. But that’s OK; IP address OSINT is less about identifying individuals, and more about mapping the movement of data back to its source. Follow enough parcels, and you’ll find the depot.

Package Redirected: Why IPs Change, and What They Tell You

One of the biggest misconceptions in IP OSINT is assuming that IP addresses are permanent identifiers. Just because IPs are unique, doesn’t mean they can’t move from place to place. So why do IPs change, why does it matter… and once an IP changes, can you trace where it’s been?

Dynamic IP Addresses

Most average-Joe residential IP users are assigned dynamic IPs by their ISP (Internet Service Provider). These can change for a ton of reasons: after a router gets rebooted, for example, when a lease gets refreshed, or just over time. The most important thing to remember is that dynamic IPs get passed around between users. An IP that belonged to one person last month might belong to somebody else now.

Static IP Addresses

Businesses and hosting providers, however, usually use static IPs. These are longer-term allocations, tied to servers and infrastructure semi-permanently (emphasis on semi). However, when you see the same static IP appearing repeatedly, you can be reasonably confident you’re looking at a fixed point.

What IP Addresses Can Tell You

When Google alerts you that some stranger in France is suddenly using your login on an iPhone 12, they’ve gained this intelligence by checking the new French login IP address against the last 10 IPs you logged in from. Clearly, although an IP can’t tell you who did something online, it can tell you where, and with what device.

Overall, what IPs show you is the circumstances at the time an online activity took place. Was a login coming from a residential ISP? A data centre? A VPN provider? Or did multiple compromised accounts route through the same infrastructure - then suddenly switch to a totally different address? When paired with timestamps, old IPs help reconstruct movement patterns, and build up a theoretical narrative; like reading old postmarks to imagine a package’s journey.

Delivery Instructions: How to Investigate an IP

So, now you know why it’s worth investigating IPs, we can get to work on how. Some involve pro OSINT tools, but others are significantly more lo-fi. Let’s get into our favourite tips, tricks and techniques for investigating IP addresses.

Reverse IP Lookups

Reverse IP lookup - like reverse image search - flips the direction. Instead of asking ‘what IP does this domain use?’, you ask ‘what other domains are hosted on this IP?’. This is super useful when investigating scam networks and phishing campaigns.

To do it, plug the target IP into a passive DNS database, or an OSINT platform that supports reverse lookup (like Maltego). The results will bring up any domains associated with that address.

Hosting and Registration

Next, look for suspicious infrastructure. This could look like:

• Multiple domains sharing the same hosting

• Sudden bursts of activity (registering lots of domains at once, then none at all)

• Thematic similarities (crypto, “investment”, fake law firms etc.)

For example, if a single server IP hosts ten nearly identical “investment opportunity” websites registered within weeks of each other - especially on the same cheap VPS - then that’s a strong sign of unsavoury activity. Look up hosting and registration details with WhoIs searching.

That said, context still rules. Large hosting providers often place hundreds of legitimate websites on the same shared IP. In those cases, you’re looking at shared warehouse space, not necessarily shared ownership.

Geolocation

We covered IP geolocation a little in the last issue; it’s a way of identifying the country and often the city an IP is hosted in. It’s often inaccurate, and can’t pinpoint a specific address. So, think of it as narrowing delivery to the right city - not the exact doorstep.

However, it can still be useful - particularly for spotting inconsistencies. If a company claims to operate exclusively in one country but consistently routes traffic through infrastructure in another, for instance. Also look for repeated logins from the same location, and check if that matches with the IP geolocation result.

VPNs (Virtual Private Networks)

VPNs are a blessing and a curse for IP OSINT. When someone uses a VPN, the IP address you see belongs to the VPN provider’s infrastructure - not the user’s original connection. These VPN IPs often resolve to big data centres, too, making it tricky to tie down the user’s actual details.

There are ways to track if somebody’s using a VPN; rapid shifts between locations, for example. This is extremely useful if you need proof that a target is intentionally rerouting their traffic to avoid being detected.

Tor Nodes

Tor also adds another layer of complexity. The IP you see with a Tor browser is the target’s exit node, not the actual origin. Tor exit nodes are also completely public and rotate between users globally; so if you detect one, all it tells you is that the target didn’t want to be tracked. It doesn’t imply malicious intent, but it does tell you the package was deliberately relabelled before delivery.

Example: IP Address OSINT in Action

This time, imagine somebody has been making repeated attempts to log into your Strava account. If successful, they could hopelessly distort your PBs. All you know is that the logins originate from the same IP address. Let’s find out who’s running things.

Step 1: Identify the Owner

A Whois search shows that the login IP is registered to a regional consumer IP; a specific subscriber, on residential broadband. But where, and who?

Step 2: Analyse the Behavior

The IP is fairly consistent - with no jumping locations or ties to known exit nodes. That means the user isn’t attempting to hide their identity. The login attempts are also spaced irregularly, with pauses that resemble manual interaction rather than botting. So this is a real person.

Step 3: Geolocate

Cross-referencing multiple IP geolocation services places the IP consistently in western Ohio, near a cluster of rural towns. You’ve never been to Ohio. And you definitely haven’t been logging into Strava from there. An interesting detail: the region is known for its expansive cornfields.

Step 4: Reverse IP & Domain Check

A reverse IP lookup reveals two domains hosted to that same IP.

The first is a personal blog documenting endurance training experiments; one man pushing himself to run further and further in concentric circles without becoming dizzy.

The second, humanccohio.com, shows groups of runners arranged in geometric formations across harvested fields - what the author calls “human crop circles.” Metadata from the site aligns with the same western Ohio geolocation as the IP.

Step 5: Behavioral Context

The timestamps of the login attempts coincide with posts on the blog discussing “mapping local athlete data” and “identifying high-mileage runners nearby.”

Mystery solved: this is one guy in western Ohio, checking out Strava profiles in an attempt to recruit (or map) local athletes without their knowledge for his ‘human crop circle’ project. Weird.

Key Takeaways

Message delivered - now you know how to do OSINT with IP addresses. You should know:

• How delivery works: An IP is like a house number, it directs the data

• IPs change: Just because an IP is there now, doesn’t mean it’ll stick around

• Check the return address: reverse IP search is your most powerful tool

• Cross-reference everything: corroborate with behaviour to get the full story

See you next week, investigators!

🏁 New CTF Challenge Live - The Wi-Fi Password

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on finding the password of a weird Wi-Fi using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a GEOINT challenge titled “The Unknown Bridge”.

Looking at the UAV in the image, we could see its number which is 166509.
Using bing browser and searching for “166509 flight” we could find a flight of this UAV on : flightaware.com/live/flight/166509
Looking at the tracking, we could see that it was last seen near Patuxent River MD, we could also notice the same airport as in the image which is Patuxent River (NHK)
On the left side of the airport we could see the same bridge as in the image which is named: Thomas Johnson.
By searching on Google : Patuxent River Bridge, we could see that the full name of the bridge was : Governor Thomas Johnson.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 95 and 96 of The OSINT Newsletter and focuses on two core realities of modern OSINT: why geolocation is one of the most powerful skills an investigator can develop, and why planning and organization separate professionals from amateurs.

In Episode 13 of The OSINT Podcast, host Jake Creps breaks down geolocation OSINT from first principles, showing how digital clues, visual recognition, metadata, and mapping platforms converge to place data in physical space. Alongside that, Jake explores how structured planning, deduplication, and case management dramatically improve investigative efficiency.

The episode also covers OSINT news, emerging risks in AI driven search environments, investigative workflow design, and several practical tools investigators can deploy immediately.

Highlights include:

🌍 Geolocation OSINT: Half Art, Half Science – why placing digital evidence into geographic context is one of the most powerful investigative capabilities, and how visual and technical methods work together.

🛠 Tools in Focus – OSINT Entity Extractor for structured note creation, p3Wifi as a modern alternative to Wigle, ThunderBit for AI assisted scraping, and case management inside Obsidian.

Throughout the episode, the emphasis stays on fundamentals over hype, discipline over distraction, and workflow over chaos. Geolocation is triangulation. Organization is leverage. Planning is speed.

If you want to sharpen your GEOINT skills and build an investigative system that actually scales, Episode 13 is for you.

References

OSINT Newsletter – Issue 95
OSINT Newsletter – Issue 96

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Geolocation, Geolocation, Geolocation: OSINT and Location Analysis

Let’s get started. ⬇️

OSINT News

📰 The State of Online Search: How to Find What You’re Looking For in the Age of AI

Craig talks about changes to the YouTube search functionality, among other things, and how the emergence of AI-first feature functionality will change how we find content online, making many old methods obsolete.

Read on Digital Digging…

🎩 H/T: Craig Silverman

📰 Identifying ‘Less-Lethal’ Weapons Used By DHS Agents in US Immigration Raids and Protests

Visual recognition is a cornerstone skill set for any intelligence professional. The ability to quickly analyze an image and draw upon your experience to quickly identify an object, person, or location is the difference between a novice and a legend. Trevor gives you a crash course on identifying “less-lethal” weapons.

🎩 H/T: Trevor Ball

Read on Bellingcat…

📰 The #1 Downloaded Skill on OpenClaw was Malware!

OpenClaw is still making its rounds online and it’s worth mentioning again. What we’re witnessing might be the “MySpace” of LLMs, opening the door for more sophisticated versions later. Much like early social media, it’s filled with scams, like concealing malware inside the OpenClaw skill marketplace.

🎩 H/T: chiefofautism

Read on X…

OSINT Tools

🔎 OSINT Entity Extractor

OSINT Entity Extractor is a Obsidian plugin that allows you to leverage your OpenAI API key to extract insights from content found online with ease, creating a nice visualization of key data points.

GitHub

🎩 H/T: thomasjjj

🔎 p3Wifi

If you’ve ever used Wigle but feel like it’s too much of a blast from the past, check out p3Wifi. Similar, but modern.

Web App

🔎 ThunderBit

If Instant Data Scraper is coming up short for you, consider ThunderBit. It’s like ChatGPT and Instant Data Scraper in a tag team match up, but it’s in your web browser as a Chrome Extension.

Browser Extension

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

🏁 New CTF Challenge Live - The Unknown Bridge

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on identifying the full name of a bridge seen in the background of a flying U.S. Navy UAV.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured an image reverse lookup OSINT task titled “Locating Epstein”.

By closely examining the wall behind the subject, we could take a screenshot of the window area and run it through PicDetective which then pointed us to the Great Wall of China.

Additional visual clues were also present, such as Chinese writing visible on the wall, which also indicated that the location was in China.

The task tested participants OSINT skills, particularly their ability to perform image reverse lookups, analyze subtle visual clues, and leverage the appropriate tools to identify the location accurately.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Organizing Information and Avoiding Duplication of Effort

• When doing an investigation, you can very easily retrace your steps accidentally and waste a lot of time. In this issue, I will step through my method for collecting and organizing information and improving efficiency.

  • This issue includes a free browser extension for improving investigative efficiency as well as a free Obsidian plugin for basic case management.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

🏁 New CTF Challenge Live - Locating Epstein

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on identifying the exact name of the location where a photograph of Jeffrey Epstein and Ghislaine Maxwell was taken.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a domain OSINT task titled “The Phisher” (2 Parts). For Part One, the objective was to investigate the suspicious domain rnicrosoft, a clear typosquatting attempt designed to mimic Microsoft's domain name. The challenge required performing a WHOIS lookup on the domain to gather publicly available registration details.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ How I Went From Intelligence Analyst to Product Manager

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Sometimes with OSINT, it’s all about location. The ability to discover where an image was taken, a video was shot, or a newsworthy incident took place can make the world of difference to an investigation. From verifying frontline war-zone footage, to detecting digitally-altered imagery, there are probably more uses for geolocation OSINT than there are countries in the world (about 195, fyi).

However - part art and part science, working out where things are with OSINT takes a very particular set of skills. This issue will teach you:

• The basics of GEOINT

• The best geolocation tools online

• Manual methods (including visual recognition)

• …and how to place any piece of data in geographical context.

It’s time to take a tour round the world of geolocation OSINT. Let’s set off.

What is GEOINT?

In beginners’ terms, geolocation OSINT (also known as GEOINT or geospatial intelligence) is discovering locations with analysis; usually to place a particular piece of data in a geographical context. This involves a mix of satellite imagery, mapping, and environmental or visual context clues - which all work together to give analysts an idea of where in the world things are.

GEOINT is used worldwide by the most advanced intelligence capabilities, like government departments and global defence firms. But even if you’re not wading into world conflicts, you’re still crossing borders - between the digital world, and the physical one. This area of OSINT is all about putting digital data in a physical context.

The Two Hemispheres: Geolocation Methods

Geolocation OSINT mixes up two types of methods to make actionable discoveries. To pin down where something really happened, these are the two different areas of work you’ll need to explore: the digital, and the visual.

1. Visual Analysis

Visual analysis is the most popular, and most extensive, geolocation discipline. Images - including moving images aka video footage - are stuffed full of clues to work with.

Even minor details - like curb paint or utility pole design - can narrow a search from continent to city. Pro investigators will usually combine visual work with AI-assisted pattern analysis, to… Actually, we’ll go much deeper into image analysis later, so put a pin in this part for now.

2. Digital Analysis

Meanwhile, some work sits in the digital world; particularly processing metadata and IP searching. While IP geolocation is weak, it can occasionally reveal the target’s country or region - giving you a clear place to start. More importantly, images and documents often carry metadata with geographic indicators.

Of course, metadata won’t always be there; it’s often stripped by social media platforms to protect people’s privacy, or intentionally removed by the creator to obscure a file’s origin. But it’s always worth exploring.

The Explorer’s Toolkit: Geolocation Tools

Now, the tools of the GEOINT explorer’s trade. Put away your paper maps; from satellite platforms to reverse image search engines, this tech toolkit will shrink your search area fast. And the less jungle you have to beat through, the better your geolocation efforts will go.

Mapping and Satellite Platforms

• Google Earth: Still the bedrock of geolocation work. Google Earth will give you a fast visual impression of terrain types, distances and landscapes.

• Google Maps: Google Maps’ integrations with other features (like business pages and reviews attached to public Google profiles), are priceless for pinpointing a target’s movements, or verifying business addresses.

• Google Street View: Valuable for ground-level verification. Plus, the stored historical imagery allows you to confirm when structures were built or changed.

• Yandex Maps: Particularly valuable for Eastern Europe and parts of Central Asia. Includes a Street View feature, and covers areas that Google won’t.

• Bing Maps: Often provides alternative Street View coverage where Google has gaps. Like search engines, it takes multiple mapping platforms to get a full geolocation picture; not every one indexes everywhere.

Reverse Image Search

• Traditional Reverse Image Search (eg. Google Lens, TinEye, Yandex): Reverse image search works by matching your searched image with similar shapes, colours, and distances in its library of indexed images. While traditional reverse image search can surface earlier uploads, higher-resolution versions, or media tied to specific locations, it won’t be able to tell you anything about an image that hasn’t appeared elsewhere.

• AI-Assisted Geolocation (eg. GeoSpy, picarta.ai, EarthKit): AI geoguessers take reverse image search to the next level. By matching landmarks, terrain, skylines and languages on visible text, they attempt to recreate the geographic metadata behind an image. Yet like all AI, they will still hallucinate: even advanced systems can’t tell the difference between the coastline of Puerto Rico and Barbados, for example.

Metadata Viewers

Both documents and images carry metadata, but image metadata is far more useful for geolocation. There will often be GPS coordinates in EXIF metadata, plus device model and timestamp data. Even the altitude the photographer was at, and the direction they were facing, will be visible with a quick metadata extraction. Even a simple online service like exif.tools can do the job.

Specialist Tools

Niche tasks will require unexpected tools: sun position calculators, for example, can help you with shadow analysis - a useful way to ascertain the time of day and location a picture was taken. Many curated lists - or OSINT toolboxes - are full of similar surprise tools that could help you later.

Spot the Details: Manual Methods & Visual Recognition

Put away your (Google) maps - and let’s turn back to visual analysis. Elite geolocation analysts rely on pattern recognition developed through practice; years and years of honing their ability to spot the most obscure useful details in an image. Of course, you don’t have years and years… so just go through this checklist.

1. Architectural Analysis: Buildings are different everywhere in the world. Look at roof shapes (flat vs pitched), window and balcony styles, and construction materials to get an idea of location. Concrete panel blocks could suggest a post-Soviet state, for example.

2. Road & Transport Indicators: Road infrastructure is also regionalised. Check lane markings, which side of the road they drive on, sign typography and bollard shapes. Even traffic light orientation can be country-specific - and has helped crack cases.

3. Language & Typography: If they’re speaking Chinese, it’s probably in China. You can even narrow the location down even further just by analysing any text you can see; alphabet systems (Latin, Cyrillic, Arabic, Mandarin, Cantonese etc.), dialect variations, domain suffixes on signage, and phone number suffixes can tell you where an image is specifically from.

4. Vegetation & Ecology: Trees, plants and flowers will reveal which climate zone the target is in. For example, palm species suggest either tropical or subtropical regions. Even the grass colour can tell you rainfall levels; dry, dusty greenery is more likely to suggest Arizona than South Dakota. Check agricultural crops too - if the fields are full of corn… more likely Midwest.

5. Shadow & Sun Analysis: Determining shadow directions sounds like black magic. But analysing shady spots can show you the hemispheric orientation of your image. Measure shadow length, height, and angles, then compare them against timestamps to validate or debunk the claimed capture dates.

6. Terrain & Topography: Lastly, landforms and terrain textures can tell you macro-location information. Mountain silhouettes, coastal curvature, and even the specific hue of the soil can help close in on a specific part of the world. Matching sections against satellite imagery is a common closing technique.

Example: Geolocation OSINT in Action

A beautiful young traveller is abducted during a European trip. During her final, brief phone call she manages to whisper: “White walls… red curtains… balcony outside.” The call cuts.

You are her father: a middle-aged GEOINT practitioner with a very particular set of skills. Time to use them to discover where she was taken.

Step One: Review Available Footage

You begin by checking her socials, where you find a video she posted earlier that day. In the background you see a street view from her apartment balcony. Visible details include cream-coloured Haussmann-style buildings. This indicates your daughter was in Paris.

​​Step Two: Reverse Image Search

Zooming in on the footage frame-by-frame, you see that one of the Hausmann-style buildings is a cafe. By using reverse image search on the cafe’s distinctive red awnings - and cross-referencing Paris business listings - you identify several candidate streets.

Step Three: Street View

You take your search on to Google Street View. “Walking” around your candidate streets, you “look” in the windows opposite each cafe to see if you can spot the key details: white walls, red curtains, balcony outside. You eliminate candidates until one street aligns perfectly.

Step Four: Get Technical

Returning to the original video, you extract the metadata from the video file. GPS coordinates are absent, but timestamp and device data remain. It was posted with an iPhone, in Paris… cross-referencing upload time with her known movements and daylight conditions confirms the exact location. Time to go get the bad guys.

Key Takeaways

After that whistle-stop tour round the world of geolocation OSINT, you should know:

• It’s half art, half science. Geolocation OSINT is both visual and technical

• Don’t forget your tools - Even the unexpected ones

• Cross-reference everything. Geolocation is triangulation. Where points converge - that’s your spot.

See you next week, investigators!

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 93 and 94 of The OSINT Newsletter and focuses on two core realities of modern OSINT: why domains remain one of the most powerful investigative entry points, and how real investigators evolve their methods, tools, and careers over time.

In Episode 12 of the OSINT Podcast, host Jake Creps breaks down Domain OSINT from first principles, showing how a single URL can unravel ownership, infrastructure, intent, and connected activity. Alongside that, Jake reflects on how OSINT methods are discovered, why most of them decay, and how his own path from intelligence analyst to product manager reshaped how he thinks about collection, analysis, and tooling.

The episode also covers OSINT news, emerging risks in large-scale surveillance systems, agentic AI, and several practical tools that investigators are using right now.

Highlights include:

🌐 Domain OSINT: It’s Free Real Estate – why domains are one of the most overlooked investigative assets, what they can reveal about ownership, infrastructure, behaviour, and intent, and how to move from a single address to an entire network.

🧱 Beginner Tools for Domain OSINT – practical walkthroughs of WHOIS, DNS enumeration, reverse IP search, historical site analysis, and email infrastructure checks, all using free or freemium tools.

🔁 Turning Patterns Into Pivots – how hosting reuse, domain age, registrar choice, and site history expose relationships that privacy protection can’t hide.

🧪 A Domain OSINT Case Study – following a suspicious “global services” website from registration details to hosting behaviour and archived versions, and showing how fast red flags accumulate when you know where to look.

🧠 How New OSINT Methods Are Discovered – an inside look at how investigators actively and passively find new techniques, why most methods have a short shelf life, and why sharing sources and methods matters more than hoarding tools.

🧑‍💻 From Analyst to Product Manager – Jake’s personal journey from intelligence analysis into tech, the concept of “Customer Zero,” and why analysts often make the best product leaders in OSINT-adjacent companies.

🛠 Building Tools vs Doing Analysis – the tension between creating collection tooling and maintaining analytical rigor, and why many investigators naturally drift toward engineering without realizing it.

🕵️ OSINT News and Emerging Risks – coverage of OSINT resources for Qatar, crowdsourced surveillance systems and privacy failures, and the growing reality of investigating humans operating behind LLM-driven content.

🔎 New and Noteworthy Tools – including Dorkwright for homegrown SERP scraping, Pic Detective as a reverse image search complement, and Think-Pol for Reddit investigation in a hostile API environment.

Throughout the episode, the emphasis stays on fundamentals over hype, behaviour over branding, and understanding systems rather than blindly trusting tools.

If you want to get better at tracing ownership, uncovering infrastructure, and building an OSINT skillset that survives tool churn and career pivots, Episode 12 is for you.

References

OSINT Newsletter – Issue 93
OSINT Newsletter – Issue 94

Dorkwright | Pic Detective | Think-Pol

OSINT of Qatar | Waze Crowdsourced Surveillance | OpenClaw (Moltbot)