🎁 It’s been a while since a paid subscription of The OSINT Newsletter went on sale. Recently, the newsletter crossed the 32,000 subscriber mark. To celebrate, here’s a 50% off discount.

50% Off

Here’s what you’ll get access to by upgrading now:

• Access to the entire newsletter archive of paid content with over 100 issues of tools, tactics, and techniques.

• Continuously improve your skill set with the latest OSINT methods to discover more, be more efficient, and bring more value to your organization or mission.

Thanks for your support.

Click here to get 50% off The OSINT Newsletter👇

Get Better at OSINT for $40

🚨 This is the first post in the return of OSINT Tool Tuesday, an ongoing series of tool review deep dives aimed at helping investigators improve their tool kit. I understand it’s Thursday… we will be publishing these on Tuesdays moving forward!

TheBigBrother

TheBigBrother is a GitHub project that offers a comprehensive OSINT framework designed to investigate an individual’s digital footprint across the internet, enabling users to gather information such as associated usernames, social media profiles, metadata, and other publicly available intelligence. Essentially, it’s a username tool on steroids.

🎩 H/T: Chadi0x

TheBigBrother allows you to search primarily by username, while also supporting a range of modules including email lookups, domain intelligence, metadata extraction (EXIF), and cryptocurrency tracing.

It brings together multiple OSINT techniques into a single toolkit, making it a valuable resource for investigations across law enforcement, cyber security, corporate intelligence, executive protection, and online threat analysis.

In this guide, I’ll walk you through how to set up The Big Brother, how to use the tool, practical use cases you can apply it to, and key pivot points you can leverage from the information it uncovers.

Let’s get started. ⬇️

Setup

Recommended = Docker Method

The easiest way to get The Big Brother up and running is by using Docker, which handles all dependencies and environment configuration for you.

Prerequisites

Before you begin, make sure you have installed:

• Docker

• Docker Compose

You can verify installation with by typing these commands into your terminal:

docker --version

docker-compose --version

Step 1: Clone the Repository

On your terminal, run:

git clone https://github.com/chadi0x/TheBigBrother.git

cd the-big-brother

Step 2: Launch TheBigBrother

Run the following command to build and start the tool:

docker-compose up --build

This will:

• Build the Docker image

• Install all required dependencies

• Launch The Big Brother environment

MANUAL SETUP

If you prefer not to use Docker, you can install and run The Big Brother locally using Python.

Prerequisites

Make sure the following are installed:

• Python 3.8+

• Git

• pip

You can verify with:

python3 --version

git --version

pip3 --version

Linux/MacOS Setup

1. Create a virtual environment

python3 -m venv venv

source venv/bin/activate

2. Install Dependencies

pip install -r requirements.txt

playwright install chromium

3. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Windows Setup

1. Install Dependencies

pip install -r requirements.txt

playwright install chromium

2. Launch the Application

python -m uvicorn the_big_brother.gui.main:app --port 8000

Next Steps:

Once running, open your browser and go to:

http://localhost:8000

You’ll see the The Big Brother web interface, where you can:

• Enter usernames

• Run modules

• View results visually

Now, let’s dive into TheBigBrother usage and use cases.

Usage

Now that we’ve covered the basics, let’s dive into some of the core modules within The Big Brother and how you can use them in OSINT investigations.

Profiler

The Profiler module is designed to build a high-level overview of a target by aggregating information from multiple sources into a single profile.

This can include:

• Usernames

• Social media accounts

• General online presence

Example:

python3 thebigbrother.py --profiler testusername

This will produce a consolidated view of the target, helping you quickly understand who you’re dealing with.

On the web interface, you can enter a target identifier (username, email address, phone number). Associated profile images will appear in the blank space above.

🗒️ This is a great starting point before diving deeper into specific modules.

Footprint

The Footprint module focuses on identifying where a username exists across the internet.

Example:

python3 thebigbrother.py --footprint testusername

This will:

• Enumerate accounts across platforms

• Highlight reused usernames

• Map out digital presence

As you can see, our test on the web interface brought up 7 platforms linked to our email address.

🗒️ Use this to identify pivot points into other tools or manual investigation.

Net Scan

The Net Scan module is used for gathering network-level intelligence.

Example:

python3 thebigbrother.py --netscan example.com

This may return:

• IP addresses

• Open ports

• Hosting/provider information

Our YouTube example on the web interface brought up the below network information:

🗒️ Useful for infrastructure mapping and identifying related assets.

Dark Web

The Dark Web module attempts to identify whether a target appears in:

• Data breaches

• Leaked databases

• Dark web mentions

Example:

python3 thebigbrother.py --darkweb test@email.com

This can help uncover:

• Compromised credentials

• Exposure risks

• Historical leaks

You can enter a keyword e.g. a leak or database into the web interface search bar as below:

Crypto

The Crypto module is used to analyse cryptocurrency wallets and transactions.

Example:

python3 thebigbrother.py --crypto <wallet_address>

This may reveal:

• Transaction history

• Wallet activity

• Links to other wallets

On the web interface, simply enter the wallet address in question into the search bar below (bitcoin or ethereum).

🗒️ Particularly useful in fraud, ransomware, or financial investigations.

SSL

The SSL module gathers intelligence from SSL certificates.

Example:

python3 thebigbrother.py --ssl example.com

This can uncover:

• Associated domains

• Certificate details

• Infrastructure links

🗒️ Great for finding hidden or related domains tied to a target.

EXIF

The EXIF module extracts metadata from images.

Example:

python3 thebigbrother.py --exif image.jpg

This may include:

• GPS coordinates

• Device information

• Date/time data

As in our web interface example, you won’t always get detailed information.

🗒️ Extremely useful when analysing images from social media or leaks.

Dorks

The Dorks module leverages advanced search queries (Google Dorking) to find indexed information about a target.

Example:

python3 thebigbrother.py --dorks testusername

This will generate queries to uncover:

• Public documents

• Exposed data

• Indexed profiles

🗒️ Helps surface information that isn’t easily found through direct searches.

GEOINT

The GEOINT module focuses on geographic intelligence.

Example:

python3 thebigbrother.py --geoint <location_or_image>

This may help:

• Identify locations from images

• Analyse geographic patterns

• Support situational awareness

Our web interface search produced various location insights from various different sources, ideal for corroboration.

🗒️ Useful for uncovering location-based insights from images, videos, and geographic data.

Sky Radar

The Sky Radar module is used for aviation-related intelligence.

Example:

python3 thebigbrother.py --skyradar <flight_or_aircraft>

This can provide:

• Flight tracking data

• Aircraft information

• Movement patterns

🗒️ Useful in niche investigations involving travel, logistics, or tracking assets.

Use Cases

TheBigBrother is essentially a username intelligence + image correlation tool that:

• scans hundreds of platforms (~400+) for usernames

• pulls profile images

• runs automated reverse image searches across multiple engines

That combination is best for identity linking, username pivoting, and avatar-based correlation.

The bottom line? It shines in early-stage investigations, when you’re trying to answer: “Where else does this person exist online?”

Where this tool is actually useful in OSINT:

Identity Correlation/linking accounts

If you start with a username or even just a profile image, you can find matching usernames across platforms, confirm links using reused profile pictures, and cluster accounts belonging to the same person.

Social Media Investigations

The tool accelerates what analysts normally do manually i.e. searching usernames across platforms, comparing profile photos and running reverse image searches separately. With this automated, you can quickly find forgotten/old accounts, identify niche platforms, and uncover behaviour patterns across platforms.

Reverse Image Pivoting

This is, in our opinion, an underrated use of the tool. Essentially, because it auto-runs reverse image searches, you can detect reused avatars across multiple accounts, spot fake personas using stock/AI images, and find the original source of a profile image. This is useful for catfish investigations, scammer tracking, or simply verifying whether a persona is real.

Threat Intelligence / Cyber Investigations

In cyber threat intel, attackers often reuse usernames, avatars, and branding. TheBigBrother helps pivot from a known handle to a broader footprint, and can identify presence on GitHub, forums, marketplaces, and social platforms.

Red Teaming / Privacy Audits

Security teams can use this tool to understand what an attacker could discover publicly via simulating how easily identities can be correlated and identifying OPSEC failures such as username and avatar reuse.

🏁 New CTF Challenge Live - The Insider

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on Local search methods. Your task is to identify the username of an insider who plans to target a company with ransomware and also determine the targeted company name.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Hacktivist”.

Solution WU :

Using Twitter Viewer - View Twitter Without Account and typing the username of the X account “RepresaliaNet” we could browse the posts made by the threat actor without having an account.

While browsing the posts, we could notice that one of the posts published on Nov 28, 2024 contains the username : YourZer321-PVC

Scrolling further, we could see that the first post date was : 25/09/2024

To find the country we needed to have an account (Sock Puppet). By clicking on “about this account”, we could see that the account was based in : Uzbekistan

✅ That’s all for this issue of The OSINT Newsletter. Thanks for reading and supporting this publication with a paid subscription.

💡 Remember OSINT != tools. Tools help you plan and collect data but the result of that tool is not OSINT. You must analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be called intelligence.

This episode covers Issues 99 and 100 of The OSINT Newsletter and focuses on two essential aspects of modern OSINT: processing large datasets locally using efficient tools, and developing your investigative skill set through consistent, ethical practice.

In Episode 15 of The OSINT Podcast, host Jake Creps explores offline OSINT from first principles, breaking down why traditional tools fail when dealing with investigative scale data. The episode explains how local search tools operate without loading entire datasets into memory, allowing investigators to extract key information from massive files quickly and efficiently.

Jake walks through core command line techniques used in local analysis, including grep for pattern matching, csvkit for structured data filtering, and tools like awk and jq for processing and transforming datasets. By combining these tools, investigators can build lightweight pipelines that turn raw data into usable intelligence.

The episode then shifts from tools to mindset, focusing on how investigators actually develop their skill set over time. Rather than relying on theory alone, Jake outlines practical, repeatable methods for improving as an OSINT practitioner.

He explores how collecting and sharing tools builds familiarity with the ecosystem, why writing and teaching methods reinforces understanding, and how small scale investigations such as analysing spam emails can provide valuable repetitions without ethical risk.

Jake also discusses the importance of applying OSINT for real world impact, highlighting opportunities to support non profit investigations and contribute to meaningful causes. Alongside this, the episode covers personal OPSEC, showing how investigators can use their own techniques to audit and reduce their digital footprint.

Along the way, Jake reinforces a core principle of OSINT: tools enable collection, but intelligence comes from analysis. Mastery comes from repetition, not novelty.

Highlights include:

📂 Offline OSINT – Working with Local Data – how to search and analyse massive datasets using tools like grep, csvkit, awk, and jq without overwhelming your system.

🧠 Building Your OSINT Skill Set – practical methods for improving as an investigator through repetition, teaching, tool discovery, and low risk investigations.

🛠 Tools in Focus – grep for fast pattern matching, csvkit for structured data handling, and command line workflows for scalable data processing.

Throughout the episode, the focus stays on practical investigative thinking. Data reveals patterns. Practice builds intuition. And the best investigators know how to combine both.

If you want to improve how you handle large datasets and develop your OSINT skill set in a structured, ethical way, Episode 15 is for you.

References

• OSINT Newsletter – Issue 99

• OSINT Newsletter – Issue 100

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Offline OSINT: Local Search Tools and Methods

Let’s get started. ⬇️

OSINT News

📰 Public GitHub Repositories from News Organizations

Open Journalism delivers a biweekly update of open source projects published by news organizations. Sometimes tools, datasets, or other useful bits of information, make sure show your support for this great project.

Read on Open Journalism…

🎩 H/T: Scott Klein

📰 Changes in Google Programmable Search Engines

There are changes coming to custom search engines in Google. They will no longer have the option to do a full web. Many OSINT tools are built on the back of custom search engines. If you use any, it might be time to diversify.

Read on LinkedIn…

🎩 H/T: Henri Beek

📰 Open-source intelligence shuts down

This article highlights something I’ve mentioned often, becoming too reliant on datasets being available and eventually being disrupted by changes. Satellite images of the area affected in the ongoing war in Iran have been blocked or removed. Many research projects rely on regular access to these images for humanitarian purposes or otherwise.

Read on The Economist… | No Paywall

OSINT Tools

🔎 WireTapper

This is a niche tool. It may even be somewhat of a grey tool. Using the Wigle, WPA Sec, OpenCellID, and Shodan API keys, WireTapper provides insight into location-based technical data from passive sources.

GitHub

🎩 H/T: h9zdev

🔎 Deaddrop

Another Telegram search engine. Always build redundancy. Search for content within a scraped Telegram archive and find information that isn’t indexed by search engines.

Web App | LinkedIn

🎩 H/T: The OSINT Consultants

🔎 LootBin

Termbin is like Pastebin but through the command line. LootBin helps you gather information from Termbin, another source not indexed by search engines.

GitHub

🎩 H/T: gustqvo432

Note: There seems to be some suspicious code in the Windows version of this tool. Do not install it. Instead, understand the concept educationally.

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡5 Ethical Ways to Develop Your OSINT Skill Set

• Developing an OSINT skill set is valuable for a variety of roles. I’ve seen OSINT used everywhere from recruiting for HR departments to tracking Elon Musk’s airplane. If you’re looking for ways to build your skill set ethically, you’ve come to the right place. If you practice all 5 methods even once, you’ll be noticeably better.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• How to search large datasets locally

• Command-line search methods

• Pro tools for processing structured data

• …and everything you need to know about analysing large files.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Collecting Information from Local Sources in an OSINT Investigation

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Offline OSINT: Local Search Tools and Methods

Not all OSINT happens on the internet. Sometimes the most valuable insights come from something you’ve already got downloaded; and every OSINT investigator has heaps of exported spreadsheets and datasets on file to work with. But when you’re archiving everything, it’s easy for your collection of documents - or even the size of the datasets themselves - to get huge.

But processing data with the wrong tools can be a real drag. If you’ve ever tried to open a 3GB CSV file in Excel, you already know the pain. Standard office tools simply weren’t built for investigative-scale datasets - and that’s where local device search tools come in.

Let’s get into local search.

What is Local Search?

OSINT investigators often end up working with big datasets. Breach dumps, scrapes, exports and archives can mount up, with a single file easily containing millions of rows. A rookie investigator will usually try to open these with traditional spreadsheet software (think Microsoft Excel); only to find it crashes instantly or slows to a stop. In turn, searching through a dataset is even more of a struggle. It’s possible, but it’s extremely painful.

Local device search tools are made to solve this problem. They scan the files directly, without loading everything into memory and making themselves sluggish. Instead of manually scrolling through data, you can extract exactly what you need in seconds - like pulling from a digital library catalog, rather than searching shelf-by-shelf.

Searching vs. Processing: How to Handle Large Files

The tools we’re about to talk about are all naturals at searching big files. But what if you want to do more than just search? Then you need processing power. If you want to:

• Extract all email domains from a breach file

• Identify the most common usernames in a dataset

• Count how many times a specific organisation appears

• Separate valid data from corrupted rows

Then clearly, just search won’t cut it. Luckily, command-line processing tools excel at these tasks because they’re designed for automation and scale. Many investigators will even combine the tools we’re about to discuss together; mixing and matching methods and modules lets you build data- processing pipelines that perfectly fit your needs.

For example, you might search up a keyword with grep, then use awk to count the matches. If it sounds like we’re talking nonsense… let’s learn what the grep we’re on about.

grep: The Text Search Tool

grep (short for global regular expression print) is one of the most popular local device search tools in the OSINT community. It’s a Unix command-based search, localised to your device; grep scans text files for matching patterns, and returns every line containing your query.

It’s fast, simple, and extremely powerful when working with large text-based datasets. The perfect way to surface those pesky data points when they’re swamped. Use grep to search files for:

• Email addresses

• Phone numbers

• Domain names

• Usernames

• Keywords related to your investigation

For example, if you wanted to search a breach file for a particular email address, grep could scan millions of rows for it almost instantly.

On top of this, grep can also do pattern matching. This means you can search for entire categories of data, too, as well as exact words; any email address ending in a particular domain, for instance. Because it reads line-by-line rather than loading files fully, grep can comfortably handle big datasets that would blow up normal apps.

csvkit: Making Sense of Spreadsheets

Most OSINT datasets are stored as CSV files. CSV stands for “comma separated values,” and it’s one of the most common formats for structured data exports. Breach databases, scraped content, and research datasets are frequently distributed this way. Usually, CSV means spreadsheets; but even programs that don’t seem like spreadsheet apps will often offer CSV as an output file type.

But CSV files grow big, fast. To deal with this, you need a tool specially designed to deal with CSVs - without opening them and overloading your machine. csvkit is such a tool; it works from the command line to search, filter, and analyse spreadsheets without opening. Instead of scrolling through millions of rows, you can:

• View column headers instantly

• Filter rows based on conditions

• Extract specific columns

• Convert files into other (more manageable) formats

For example, if a sheet has three columns full of usernames, IPs, and emails, csvkit allows you to isolate just the column you need and ignore the rest. Makes it much easier to focus on each different data point methodically without getting distracted.

More Tools for Local Data

Beyond grep and csvkit, several other lower-case-named tools are popular in pro OSINT workflows. They might have a disregard for grammar rules, but they’re great at handling big datasets - searching, processing, analysing, and more.

• ripgrep: ripgrep is designed to make grep commands even quicker and easier with little changes; automatically ignoring irrelevant files, like binary data for example. If you have a whole folder of datasets, ripgrep will whip through that entire directory structure - stat.

• awk: like grep and sed, awk is a command-line filter. More general than grep, it’s often used for processing structured data - and can handle different commands and modifications than its cousins.

• jq: described as “sed for JSON data”. Sometimes, datasets are stored in JSON format rather than CSV, making them much more difficult to read manually. jq can search and pull out specific fields from JSON data turning messy machine-readable files into human-readable intel.

• SQLite: When a dataset gets super big, it’s sometimes easier to import it into a lightweight database than leave it standalone. SQLite lets you do this. Plus, it’s already the most used database engine in the world.

Example: Local Search in Action

this time, imagine you are a professional osint analyst, working with a dataset containing millions of logins. but something seems wrong. immediately, you realise - all the data appears in lowercase.

somebody has stolen all the capital letters, and the issue is spreading. you need to find out when, and how.

step one: search

first you need to confirm that the capitals have gone. using grep, you scan the dataset for a username you know should be capitalised. Here, every instance appears in lowercase - confirming the capitals aren’t where they should be.

step two: process

next, you process the data for evidence. you use awk to analyse patterns across the dataset - counting the examples of that de-capitalised username, and identifying other entries that should have been capitalised. you begin to question the thief’s motives.

step three: structured analysis

you isolate each column with cvskit, and work through each methodically: usernames, email addresses, dates, checking each for formatting issues. the loss has occurred consistently across all fields. seeing the scale of the crime disturbs you.

step four: check other formats

Finally, you run jq on an older version of your dataset. these files still contain capital letters - meaning the dataset was just corrupted during the csv export.

as for the issue spreading… you need a new keyboard.

Key Takeaways

So, now you know the basics of local search. By now you should be able to:

• Search: Use commands to find specific data points

• Process: Execute more complex commands to make your life easier

• Analyse: Work with tools to identify patterns and pivot

• type: ignore automatic capitalisation and write in lower case

See you next time, investigators!

🏁 New CTF Challenge Live - The Hacktivist (2 Parts)

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the hacker username of a threat actor, the date of their first post announcing the start of a cyberattack and the country in which the account is actually operated, using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “Trace The IP”. Here is the solution:

Using IP Lookup | Find Your Public IP Address Location and searching for 151.202.95.130 we could see that the IP was linked to several cities : Tuckahoe, Bronxville, New York, Eastchester, Yonkers. Formatting them in alphabetical order gave us : Bronxville, Eastchester, New York, Tuckahoe, Yonkers.

Looking at the ISP we could see that it was Verizon Business.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 97 and 98 of The OSINT Newsletter and focuses on two critical aspects of modern OSINT: understanding how IP addresses reveal the movement of data across the internet, and how investigators can gather intelligence from a specific location even when they are nowhere near it.

In Episode 14 of The OSINT Podcast, host Jake Creps explores IP address OSINT from first principles, explaining how IPs function as the routing system of the internet. The episode walks through the difference between user IPs and server infrastructure, why dynamic IP addresses constantly change hands, and how static infrastructure can reveal patterns behind suspicious activity.

Jake then breaks down several investigative techniques used in IP analysis, including reverse IP lookups, passive DNS research, IP geolocation, and identifying traffic routed through VPNs and Tor nodes. When combined with timestamps and behavioural patterns, these signals allow investigators to reconstruct the path digital activity has taken across networks.

The episode then shifts to a different but equally important challenge: local OSINT investigations. Some investigations require extremely targeted intelligence from a specific city or region. In those cases, investigators must replicate the local internet environment in order to see the same results a local user would.

Jake explores how investigators can use VPNs and browser location manipulation to appear local, allowing search engines, advertisements, and recommendation systems to reveal location specific information. From there, he discusses how to build local intelligence feeds by aggregating small regional publications, government websites, and community sources into a single stream using RSS readers and alerting tools.

The episode also looks at analysing activity around physical locations using Google Maps “Popular Times” data, showing how investigators can detect patterns and unusual activity around businesses or venues without ever being physically present.

Along the way, Jake highlights several useful OSINT tools and resources including Dark Light Viewer, Twitter Viewer, and GeoSentinel, while also touching on developments in AI driven investigations and evolving OPSEC considerations.

As always, the emphasis remains on method over novelty. Infrastructure reveals behaviour. Location reveals context. And the best investigators know how to follow both.

Highlights include:

📦 IP Address OSINT – Following the Packets – how IP addresses function as the routing system of the internet, why dynamic IPs complicate attribution, and how reverse IP lookups and passive DNS can reveal hidden infrastructure.

🌍 Local OSINT Investigations – techniques for collecting intelligence from a specific place remotely using VPNs, browser configuration, local news aggregation, and location specific data sources.

🛠 Tools in Focus – Dark Light Viewer for satellite light comparison, Twitter Viewer for footprint free browsing of X profiles, and GeoSentinel for tracking global movement across maritime and aviation data.

Throughout the episode, the focus stays on practical investigative thinking. Infrastructure creates patterns. Location creates context. And when both are understood together, digital activity becomes much easier to trace.

If you want to strengthen your understanding of IP address investigations and location based intelligence gathering, Episode 14 is for you.

References

OSINT Newsletter – Issue 97

OSINT Newsletter – Issue 98

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Return to Sender: OSINT With IP Addresses

Let’s get started. ⬇️

OSINT News

📰 Exploring a Secret Underground OSINT Marketplace

This issue of The OSINT Insider is a treasure trove of useful information for OSINT practitioners covering topics from new OSINT tools and datasets.

Read on OSINT Insider…

🎩 H/T:

📰 I Built an OSINT Agent Skill to Expose Your Digital Tattoo

OPSEC isn’t just about what you post online, it’s about what happens to the content after you post. This issue of The Secure Circuit covers an OSINT tool that helps you cover your tracks and also find the tracks of others.

Read on The Secure Circuit…

🎩 H/T:

📰 AI for OSINT Investigations: Turning Data Chaos into Intelligence

It’s 2026, AI is here and you’re going to use it whether you want to or not. Generic AI tools like GPT and Gemini may not be great for OSINT; however, AI within OSINT tools is a different story.

Read on Project OSINT…

🎩 H/T:

OSINT Tools

🔎 Dark Light Viewer

Compare nighttime light levels across any location on Earth, across any period from one month to ten years.

GitHub

🎩 H/T: Benjamin Strick

🔎 Twitter Viewer

View a Twitter (X) profile without having to log in. See posts and media without leaving a footprint.

Web App

🔎 GeoSentinel

Track global movement in real team; from maritime to aviation. Review in geospatial tooling.

GitHub

🎩 H/T: H9

Description

Scenario

A potential IP address associated with a French threat actor has been identified. Further investigation is required to determine the ISP name and the cities linked to this IP address in order to support attribution and ongoing analysis.

Challenge Objective

Your task as an OSINT analyst is to find :

• The cities linked to this IP (in alphabetical order).

• The ISP name.

🏁 New CTF Challenge Live - Trace The IP

A new CTF challenge has been posted on our CTF website. This week’s challenge focuses on identifying the ISP name and the cities associated with a specific IP address using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a challenge titled “The Wi-Fi Password”. Participants needed to identify the the password of a suspicious Wi-Fi using only open source intelligence tools and techniques.

Solution:

• Searching for : epstein property Florida on google brings us to the wikipedia page where the address is displayed

• Looking at the address we notice that it’s in Palm Beach

• Using 🔎 p3Wifi Free WiFi map - p3wifi and searching for the Palm Beach area we notice a weird Wi-Fi named SteinStein with the password visible in clear, located in front of a store named LaMuse which is exactly 0.7 miles and 3 minutes away from Epstein’s property when checking it on google maps with itinerary search.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Collecting Information from Local Sources in an OSINT Investigation

• The internet reacts to where you are in the world. You can trick the internet into thinking you’re somewhere else. Once you do that, your entire browsing experience changes. I discuss this, local news aggregation, and mining “Popular times” from Google Maps in this issue of The OSINT Newsletter.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• Introduction to IP addresses.

• How to investigate an IP address.

• A step-by-step process for IP investigation.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Organizing Information and Avoiding Duplication of Effort

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

The internet is like a big mail service. Every time somebody logs into their account, clicks on to a link or loads up a site, the data for that action gets parcelled up and shipped across the web. If domains are street names, IP addresses are the house numbers that actually direct the parcels to the right home. And like regular mail, the whole process leaves a trace behind.

Of course, stealing people’s mail is a felony (and a great punk track) - but that doesn’t mean you can’t get valuable OSINT from tracking its journey. If you know how to read IP addresses, they can tell you where traffic travelled, what infrastructure handled it, and whether someone tried to hide the sender.

In this issue, we’re following the packets. We’ll cover:

• The basics of IP addresses

• How IPs can change (and why that matters)

• Reverse IP lookups

• Geolocation with IPs

• ..plus all about VPNs and Tor traffic.

Now, let’s check the labels.

What Is an IP Address?

An IP address (short for Internet Protocol address), is a numerical identifier assigned to each device or server connected to a network. Think of it like a shipment number. It can either look like:

• IPv4: The old faithful. Appears as four blocks of numbers separated by dots, e.g. 192.168.1.1.

• IPv6: The longer, newer format, becoming increasingly common as the internet runs out of IPv4 space. Appears as eight blocks of numbers separated by colons, e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334

In OSINT terms, you can divide all kinds of IPs into two categories: User IPs, and Server IPs. A user IP belongs to a device connecting to a service. Meanwhile, a server IP belongs to infrastructure hosting websites, apps, or mail networks. Confusing the two is like mistaking a sender’s return address for a warehouse location.

IP addresses aren’t as stable an identifier as email addresses, for instance. But that’s OK; IP address OSINT is less about identifying individuals, and more about mapping the movement of data back to its source. Follow enough parcels, and you’ll find the depot.

Package Redirected: Why IPs Change, and What They Tell You

One of the biggest misconceptions in IP OSINT is assuming that IP addresses are permanent identifiers. Just because IPs are unique, doesn’t mean they can’t move from place to place. So why do IPs change, why does it matter… and once an IP changes, can you trace where it’s been?

Dynamic IP Addresses

Most average-Joe residential IP users are assigned dynamic IPs by their ISP (Internet Service Provider). These can change for a ton of reasons: after a router gets rebooted, for example, when a lease gets refreshed, or just over time. The most important thing to remember is that dynamic IPs get passed around between users. An IP that belonged to one person last month might belong to somebody else now.

Static IP Addresses

Businesses and hosting providers, however, usually use static IPs. These are longer-term allocations, tied to servers and infrastructure semi-permanently (emphasis on semi). However, when you see the same static IP appearing repeatedly, you can be reasonably confident you’re looking at a fixed point.

What IP Addresses Can Tell You

When Google alerts you that some stranger in France is suddenly using your login on an iPhone 12, they’ve gained this intelligence by checking the new French login IP address against the last 10 IPs you logged in from. Clearly, although an IP can’t tell you who did something online, it can tell you where, and with what device.

Overall, what IPs show you is the circumstances at the time an online activity took place. Was a login coming from a residential ISP? A data centre? A VPN provider? Or did multiple compromised accounts route through the same infrastructure - then suddenly switch to a totally different address? When paired with timestamps, old IPs help reconstruct movement patterns, and build up a theoretical narrative; like reading old postmarks to imagine a package’s journey.

Delivery Instructions: How to Investigate an IP

So, now you know why it’s worth investigating IPs, we can get to work on how. Some involve pro OSINT tools, but others are significantly more lo-fi. Let’s get into our favourite tips, tricks and techniques for investigating IP addresses.

Reverse IP Lookups

Reverse IP lookup - like reverse image search - flips the direction. Instead of asking ‘what IP does this domain use?’, you ask ‘what other domains are hosted on this IP?’. This is super useful when investigating scam networks and phishing campaigns.

To do it, plug the target IP into a passive DNS database, or an OSINT platform that supports reverse lookup (like Maltego). The results will bring up any domains associated with that address.

Hosting and Registration

Next, look for suspicious infrastructure. This could look like:

• Multiple domains sharing the same hosting

• Sudden bursts of activity (registering lots of domains at once, then none at all)

• Thematic similarities (crypto, “investment”, fake law firms etc.)

For example, if a single server IP hosts ten nearly identical “investment opportunity” websites registered within weeks of each other - especially on the same cheap VPS - then that’s a strong sign of unsavoury activity. Look up hosting and registration details with WhoIs searching.

That said, context still rules. Large hosting providers often place hundreds of legitimate websites on the same shared IP. In those cases, you’re looking at shared warehouse space, not necessarily shared ownership.

Geolocation

We covered IP geolocation a little in the last issue; it’s a way of identifying the country and often the city an IP is hosted in. It’s often inaccurate, and can’t pinpoint a specific address. So, think of it as narrowing delivery to the right city - not the exact doorstep.

However, it can still be useful - particularly for spotting inconsistencies. If a company claims to operate exclusively in one country but consistently routes traffic through infrastructure in another, for instance. Also look for repeated logins from the same location, and check if that matches with the IP geolocation result.

VPNs (Virtual Private Networks)

VPNs are a blessing and a curse for IP OSINT. When someone uses a VPN, the IP address you see belongs to the VPN provider’s infrastructure - not the user’s original connection. These VPN IPs often resolve to big data centres, too, making it tricky to tie down the user’s actual details.

There are ways to track if somebody’s using a VPN; rapid shifts between locations, for example. This is extremely useful if you need proof that a target is intentionally rerouting their traffic to avoid being detected.

Tor Nodes

Tor also adds another layer of complexity. The IP you see with a Tor browser is the target’s exit node, not the actual origin. Tor exit nodes are also completely public and rotate between users globally; so if you detect one, all it tells you is that the target didn’t want to be tracked. It doesn’t imply malicious intent, but it does tell you the package was deliberately relabelled before delivery.

Example: IP Address OSINT in Action

This time, imagine somebody has been making repeated attempts to log into your Strava account. If successful, they could hopelessly distort your PBs. All you know is that the logins originate from the same IP address. Let’s find out who’s running things.

Step 1: Identify the Owner

A Whois search shows that the login IP is registered to a regional consumer IP; a specific subscriber, on residential broadband. But where, and who?

Step 2: Analyse the Behavior

The IP is fairly consistent - with no jumping locations or ties to known exit nodes. That means the user isn’t attempting to hide their identity. The login attempts are also spaced irregularly, with pauses that resemble manual interaction rather than botting. So this is a real person.

Step 3: Geolocate

Cross-referencing multiple IP geolocation services places the IP consistently in western Ohio, near a cluster of rural towns. You’ve never been to Ohio. And you definitely haven’t been logging into Strava from there. An interesting detail: the region is known for its expansive cornfields.

Step 4: Reverse IP & Domain Check

A reverse IP lookup reveals two domains hosted to that same IP.

The first is a personal blog documenting endurance training experiments; one man pushing himself to run further and further in concentric circles without becoming dizzy.

The second, humanccohio.com, shows groups of runners arranged in geometric formations across harvested fields - what the author calls “human crop circles.” Metadata from the site aligns with the same western Ohio geolocation as the IP.

Step 5: Behavioral Context

The timestamps of the login attempts coincide with posts on the blog discussing “mapping local athlete data” and “identifying high-mileage runners nearby.”

Mystery solved: this is one guy in western Ohio, checking out Strava profiles in an attempt to recruit (or map) local athletes without their knowledge for his ‘human crop circle’ project. Weird.

Key Takeaways

Message delivered - now you know how to do OSINT with IP addresses. You should know:

• How delivery works: An IP is like a house number, it directs the data

• IPs change: Just because an IP is there now, doesn’t mean it’ll stick around

• Check the return address: reverse IP search is your most powerful tool

• Cross-reference everything: corroborate with behaviour to get the full story

See you next week, investigators!

🏁 New CTF Challenge Live - The Wi-Fi Password

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on finding the password of a weird Wi-Fi using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a GEOINT challenge titled “The Unknown Bridge”.

Looking at the UAV in the image, we could see its number which is 166509.
Using bing browser and searching for “166509 flight” we could find a flight of this UAV on : flightaware.com/live/flight/166509
Looking at the tracking, we could see that it was last seen near Patuxent River MD, we could also notice the same airport as in the image which is Patuxent River (NHK)
On the left side of the airport we could see the same bridge as in the image which is named: Thomas Johnson.
By searching on Google : Patuxent River Bridge, we could see that the full name of the bridge was : Governor Thomas Johnson.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 95 and 96 of The OSINT Newsletter and focuses on two core realities of modern OSINT: why geolocation is one of the most powerful skills an investigator can develop, and why planning and organization separate professionals from amateurs.

In Episode 13 of The OSINT Podcast, host Jake Creps breaks down geolocation OSINT from first principles, showing how digital clues, visual recognition, metadata, and mapping platforms converge to place data in physical space. Alongside that, Jake explores how structured planning, deduplication, and case management dramatically improve investigative efficiency.

The episode also covers OSINT news, emerging risks in AI driven search environments, investigative workflow design, and several practical tools investigators can deploy immediately.

Highlights include:

🌍 Geolocation OSINT: Half Art, Half Science – why placing digital evidence into geographic context is one of the most powerful investigative capabilities, and how visual and technical methods work together.

🛠 Tools in Focus – OSINT Entity Extractor for structured note creation, p3Wifi as a modern alternative to Wigle, ThunderBit for AI assisted scraping, and case management inside Obsidian.

Throughout the episode, the emphasis stays on fundamentals over hype, discipline over distraction, and workflow over chaos. Geolocation is triangulation. Organization is leverage. Planning is speed.

If you want to sharpen your GEOINT skills and build an investigative system that actually scales, Episode 13 is for you.

References

OSINT Newsletter – Issue 95
OSINT Newsletter – Issue 96

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Geolocation, Geolocation, Geolocation: OSINT and Location Analysis

Let’s get started. ⬇️

OSINT News

📰 The State of Online Search: How to Find What You’re Looking For in the Age of AI

Craig talks about changes to the YouTube search functionality, among other things, and how the emergence of AI-first feature functionality will change how we find content online, making many old methods obsolete.

Read on Digital Digging…

🎩 H/T: Craig Silverman

📰 Identifying ‘Less-Lethal’ Weapons Used By DHS Agents in US Immigration Raids and Protests

Visual recognition is a cornerstone skill set for any intelligence professional. The ability to quickly analyze an image and draw upon your experience to quickly identify an object, person, or location is the difference between a novice and a legend. Trevor gives you a crash course on identifying “less-lethal” weapons.

🎩 H/T: Trevor Ball

Read on Bellingcat…

📰 The #1 Downloaded Skill on OpenClaw was Malware!

OpenClaw is still making its rounds online and it’s worth mentioning again. What we’re witnessing might be the “MySpace” of LLMs, opening the door for more sophisticated versions later. Much like early social media, it’s filled with scams, like concealing malware inside the OpenClaw skill marketplace.

🎩 H/T: chiefofautism

Read on X…

OSINT Tools

🔎 OSINT Entity Extractor

OSINT Entity Extractor is a Obsidian plugin that allows you to leverage your OpenAI API key to extract insights from content found online with ease, creating a nice visualization of key data points.

GitHub

🎩 H/T: thomasjjj

🔎 p3Wifi

If you’ve ever used Wigle but feel like it’s too much of a blast from the past, check out p3Wifi. Similar, but modern.

Web App

🔎 ThunderBit

If Instant Data Scraper is coming up short for you, consider ThunderBit. It’s like ChatGPT and Instant Data Scraper in a tag team match up, but it’s in your web browser as a Chrome Extension.

Browser Extension

⭐ Sponsor: SockPuppet.io

SockPuppet delivers secure, isolated environments with persistent virtual desktops and phones, real carrier-based SMS for OTPs, and residential IP connectivity—selectable from hundreds of locations. All accessible through a simple web interface that scales as your investigations grow.

Visit SockPuppet.io to empower your investigations with technology trusted by intelligence professionals.

🏁 New CTF Challenge Live - The Unknown Bridge

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on identifying the full name of a bridge seen in the background of a flying U.S. Navy UAV.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured an image reverse lookup OSINT task titled “Locating Epstein”.

By closely examining the wall behind the subject, we could take a screenshot of the window area and run it through PicDetective which then pointed us to the Great Wall of China.

Additional visual clues were also present, such as Chinese writing visible on the wall, which also indicated that the location was in China.

The task tested participants OSINT skills, particularly their ability to perform image reverse lookups, analyze subtle visual clues, and leverage the appropriate tools to identify the location accurately.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Organizing Information and Avoiding Duplication of Effort

• When doing an investigation, you can very easily retrace your steps accidentally and waste a lot of time. In this issue, I will step through my method for collecting and organizing information and improving efficiency.

  • This issue includes a free browser extension for improving investigative efficiency as well as a free Obsidian plugin for basic case management.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

🏁 New CTF Challenge Live - Locating Epstein

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on identifying the exact name of the location where a photograph of Jeffrey Epstein and Ghislaine Maxwell was taken.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a domain OSINT task titled “The Phisher” (2 Parts). For Part One, the objective was to investigate the suspicious domain rnicrosoft, a clear typosquatting attempt designed to mimic Microsoft's domain name. The challenge required performing a WHOIS lookup on the domain to gather publicly available registration details.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ How I Went From Intelligence Analyst to Product Manager

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Sometimes with OSINT, it’s all about location. The ability to discover where an image was taken, a video was shot, or a newsworthy incident took place can make the world of difference to an investigation. From verifying frontline war-zone footage, to detecting digitally-altered imagery, there are probably more uses for geolocation OSINT than there are countries in the world (about 195, fyi).

However - part art and part science, working out where things are with OSINT takes a very particular set of skills. This issue will teach you:

• The basics of GEOINT

• The best geolocation tools online

• Manual methods (including visual recognition)

• …and how to place any piece of data in geographical context.

It’s time to take a tour round the world of geolocation OSINT. Let’s set off.

What is GEOINT?

In beginners’ terms, geolocation OSINT (also known as GEOINT or geospatial intelligence) is discovering locations with analysis; usually to place a particular piece of data in a geographical context. This involves a mix of satellite imagery, mapping, and environmental or visual context clues - which all work together to give analysts an idea of where in the world things are.

GEOINT is used worldwide by the most advanced intelligence capabilities, like government departments and global defence firms. But even if you’re not wading into world conflicts, you’re still crossing borders - between the digital world, and the physical one. This area of OSINT is all about putting digital data in a physical context.

The Two Hemispheres: Geolocation Methods

Geolocation OSINT mixes up two types of methods to make actionable discoveries. To pin down where something really happened, these are the two different areas of work you’ll need to explore: the digital, and the visual.

1. Visual Analysis

Visual analysis is the most popular, and most extensive, geolocation discipline. Images - including moving images aka video footage - are stuffed full of clues to work with.

Even minor details - like curb paint or utility pole design - can narrow a search from continent to city. Pro investigators will usually combine visual work with AI-assisted pattern analysis, to… Actually, we’ll go much deeper into image analysis later, so put a pin in this part for now.

2. Digital Analysis

Meanwhile, some work sits in the digital world; particularly processing metadata and IP searching. While IP geolocation is weak, it can occasionally reveal the target’s country or region - giving you a clear place to start. More importantly, images and documents often carry metadata with geographic indicators.

Of course, metadata won’t always be there; it’s often stripped by social media platforms to protect people’s privacy, or intentionally removed by the creator to obscure a file’s origin. But it’s always worth exploring.

The Explorer’s Toolkit: Geolocation Tools

Now, the tools of the GEOINT explorer’s trade. Put away your paper maps; from satellite platforms to reverse image search engines, this tech toolkit will shrink your search area fast. And the less jungle you have to beat through, the better your geolocation efforts will go.

Mapping and Satellite Platforms

• Google Earth: Still the bedrock of geolocation work. Google Earth will give you a fast visual impression of terrain types, distances and landscapes.

• Google Maps: Google Maps’ integrations with other features (like business pages and reviews attached to public Google profiles), are priceless for pinpointing a target’s movements, or verifying business addresses.

• Google Street View: Valuable for ground-level verification. Plus, the stored historical imagery allows you to confirm when structures were built or changed.

• Yandex Maps: Particularly valuable for Eastern Europe and parts of Central Asia. Includes a Street View feature, and covers areas that Google won’t.

• Bing Maps: Often provides alternative Street View coverage where Google has gaps. Like search engines, it takes multiple mapping platforms to get a full geolocation picture; not every one indexes everywhere.

Reverse Image Search

• Traditional Reverse Image Search (eg. Google Lens, TinEye, Yandex): Reverse image search works by matching your searched image with similar shapes, colours, and distances in its library of indexed images. While traditional reverse image search can surface earlier uploads, higher-resolution versions, or media tied to specific locations, it won’t be able to tell you anything about an image that hasn’t appeared elsewhere.

• AI-Assisted Geolocation (eg. GeoSpy, picarta.ai, EarthKit): AI geoguessers take reverse image search to the next level. By matching landmarks, terrain, skylines and languages on visible text, they attempt to recreate the geographic metadata behind an image. Yet like all AI, they will still hallucinate: even advanced systems can’t tell the difference between the coastline of Puerto Rico and Barbados, for example.

Metadata Viewers

Both documents and images carry metadata, but image metadata is far more useful for geolocation. There will often be GPS coordinates in EXIF metadata, plus device model and timestamp data. Even the altitude the photographer was at, and the direction they were facing, will be visible with a quick metadata extraction. Even a simple online service like exif.tools can do the job.

Specialist Tools

Niche tasks will require unexpected tools: sun position calculators, for example, can help you with shadow analysis - a useful way to ascertain the time of day and location a picture was taken. Many curated lists - or OSINT toolboxes - are full of similar surprise tools that could help you later.

Spot the Details: Manual Methods & Visual Recognition

Put away your (Google) maps - and let’s turn back to visual analysis. Elite geolocation analysts rely on pattern recognition developed through practice; years and years of honing their ability to spot the most obscure useful details in an image. Of course, you don’t have years and years… so just go through this checklist.

1. Architectural Analysis: Buildings are different everywhere in the world. Look at roof shapes (flat vs pitched), window and balcony styles, and construction materials to get an idea of location. Concrete panel blocks could suggest a post-Soviet state, for example.

2. Road & Transport Indicators: Road infrastructure is also regionalised. Check lane markings, which side of the road they drive on, sign typography and bollard shapes. Even traffic light orientation can be country-specific - and has helped crack cases.

3. Language & Typography: If they’re speaking Chinese, it’s probably in China. You can even narrow the location down even further just by analysing any text you can see; alphabet systems (Latin, Cyrillic, Arabic, Mandarin, Cantonese etc.), dialect variations, domain suffixes on signage, and phone number suffixes can tell you where an image is specifically from.

4. Vegetation & Ecology: Trees, plants and flowers will reveal which climate zone the target is in. For example, palm species suggest either tropical or subtropical regions. Even the grass colour can tell you rainfall levels; dry, dusty greenery is more likely to suggest Arizona than South Dakota. Check agricultural crops too - if the fields are full of corn… more likely Midwest.

5. Shadow & Sun Analysis: Determining shadow directions sounds like black magic. But analysing shady spots can show you the hemispheric orientation of your image. Measure shadow length, height, and angles, then compare them against timestamps to validate or debunk the claimed capture dates.

6. Terrain & Topography: Lastly, landforms and terrain textures can tell you macro-location information. Mountain silhouettes, coastal curvature, and even the specific hue of the soil can help close in on a specific part of the world. Matching sections against satellite imagery is a common closing technique.

Example: Geolocation OSINT in Action

A beautiful young traveller is abducted during a European trip. During her final, brief phone call she manages to whisper: “White walls… red curtains… balcony outside.” The call cuts.

You are her father: a middle-aged GEOINT practitioner with a very particular set of skills. Time to use them to discover where she was taken.

Step One: Review Available Footage

You begin by checking her socials, where you find a video she posted earlier that day. In the background you see a street view from her apartment balcony. Visible details include cream-coloured Haussmann-style buildings. This indicates your daughter was in Paris.

​​Step Two: Reverse Image Search

Zooming in on the footage frame-by-frame, you see that one of the Hausmann-style buildings is a cafe. By using reverse image search on the cafe’s distinctive red awnings - and cross-referencing Paris business listings - you identify several candidate streets.

Step Three: Street View

You take your search on to Google Street View. “Walking” around your candidate streets, you “look” in the windows opposite each cafe to see if you can spot the key details: white walls, red curtains, balcony outside. You eliminate candidates until one street aligns perfectly.

Step Four: Get Technical

Returning to the original video, you extract the metadata from the video file. GPS coordinates are absent, but timestamp and device data remain. It was posted with an iPhone, in Paris… cross-referencing upload time with her known movements and daylight conditions confirms the exact location. Time to go get the bad guys.

Key Takeaways

After that whistle-stop tour round the world of geolocation OSINT, you should know:

• It’s half art, half science. Geolocation OSINT is both visual and technical

• Don’t forget your tools - Even the unexpected ones

• Cross-reference everything. Geolocation is triangulation. Where points converge - that’s your spot.

See you next week, investigators!

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 93 and 94 of The OSINT Newsletter and focuses on two core realities of modern OSINT: why domains remain one of the most powerful investigative entry points, and how real investigators evolve their methods, tools, and careers over time.

In Episode 12 of the OSINT Podcast, host Jake Creps breaks down Domain OSINT from first principles, showing how a single URL can unravel ownership, infrastructure, intent, and connected activity. Alongside that, Jake reflects on how OSINT methods are discovered, why most of them decay, and how his own path from intelligence analyst to product manager reshaped how he thinks about collection, analysis, and tooling.

The episode also covers OSINT news, emerging risks in large-scale surveillance systems, agentic AI, and several practical tools that investigators are using right now.

Highlights include:

🌐 Domain OSINT: It’s Free Real Estate – why domains are one of the most overlooked investigative assets, what they can reveal about ownership, infrastructure, behaviour, and intent, and how to move from a single address to an entire network.

🧱 Beginner Tools for Domain OSINT – practical walkthroughs of WHOIS, DNS enumeration, reverse IP search, historical site analysis, and email infrastructure checks, all using free or freemium tools.

🔁 Turning Patterns Into Pivots – how hosting reuse, domain age, registrar choice, and site history expose relationships that privacy protection can’t hide.

🧪 A Domain OSINT Case Study – following a suspicious “global services” website from registration details to hosting behaviour and archived versions, and showing how fast red flags accumulate when you know where to look.

🧠 How New OSINT Methods Are Discovered – an inside look at how investigators actively and passively find new techniques, why most methods have a short shelf life, and why sharing sources and methods matters more than hoarding tools.

🧑‍💻 From Analyst to Product Manager – Jake’s personal journey from intelligence analysis into tech, the concept of “Customer Zero,” and why analysts often make the best product leaders in OSINT-adjacent companies.

🛠 Building Tools vs Doing Analysis – the tension between creating collection tooling and maintaining analytical rigor, and why many investigators naturally drift toward engineering without realizing it.

🕵️ OSINT News and Emerging Risks – coverage of OSINT resources for Qatar, crowdsourced surveillance systems and privacy failures, and the growing reality of investigating humans operating behind LLM-driven content.

🔎 New and Noteworthy Tools – including Dorkwright for homegrown SERP scraping, Pic Detective as a reverse image search complement, and Think-Pol for Reddit investigation in a hostile API environment.

Throughout the episode, the emphasis stays on fundamentals over hype, behaviour over branding, and understanding systems rather than blindly trusting tools.

If you want to get better at tracing ownership, uncovering infrastructure, and building an OSINT skillset that survives tool churn and career pivots, Episode 12 is for you.

References

OSINT Newsletter – Issue 93
OSINT Newsletter – Issue 94

Dorkwright | Pic Detective | Think-Pol

OSINT of Qatar | Waze Crowdsourced Surveillance | OpenClaw (Moltbot)

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Domain OSINT: It’s Free Real Estate

Let’s get started. ⬇️

OSINT News

📰 OSINT of Qatar

If you find yourself needing to investigate individuals or entities in Qatar, make sure to bookmark this page. It’s rich in resources to aid in your investigations. It includes person search, company search, court records, and more.

Read on Unishka’s Substack…

🎩 H/T:

📰 How Waze Quietly Built the World’s Largest Crowdsourced Surveillance System (and then fixed it)

Some OSINT methods are useful if used at a small scale. Other methods are so problematic they pose data privacy issues too large to ignore. This is an example of the latter. Fortunately for Waze, they corrected the problem promptly, prioritizing user privacy over functionality.

Read on X…

🎩 H/T:

📰 OpenClaw (a.k.a. Moltbot) is everywhere all at once, and a disaster waiting to happen

If you haven’t been following the OpenClaw story, start here. Agentic AI went from an abstract concept to holy shit what is going on right now pretty quickly. The first thought that came to my mind was an episode of Black Mirror called Plaything. Read about OpenClaw first, then watch the episode on Netflix.

Why is this relevant to OSINT? Prepare for the lion share of content to be generated by LLMs, orchestrated by humans. We’ll soon have to investigate the humans behind the LLMs.

Read on Marcus on AI…

🎩 H/T:

OSINT Tools

🔎 Dorkwright

If you’re reading this and have followed me for a while, you know I’m a huge fan of SERP APIs. They’re expensive, though. Dorkright gives you the ability to make a homegrown SERP, saving you a ton of money if you can sustain it.

GitHub

🎩 H/T: San-Tus

🔎 Pic Detective

When you have an image, you can reverse image search, right? You can use Google, Yandex, and other search engines. You can use LLMs like ChatGPT or Grok. You can also use PimEyes or FaceCheck. You should also use Pic Detective, even if it’s not a one-stop shop.

Web App

🔎 Think-Pol

Reddit has been cracking down on their API usage. I mentioned R00M101 in a previous issue of the newsletter. It looks like it grew up to become Think-Pol. There are still lifetime licenses left; however, proceed with caution. Reddit continues their assault on third party applications.

Web App

🏁 New CTF Challenges Live – The Phisher (2 Parts)

A new CTF challenge has been posted on our CTF website. This week’s CTF is about a suspicious domain using typosquatting for phishing attacks.

Can you identify the person behind this domain?

Start competing in our Capture the Flag (CTF)!

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ How I Went From Intelligence Analyst to Product Manager

• Another top question I get from my readers. I started off an intelligence analyst, I ended up a product manager. What’s that all about? Let me explain.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• Introduction to Domain OSINT

• Beginner tools for Domain OSINT

• Case study in Domain OSINT

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ How I Discover New OSINT Methods

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

Domains are the real estate of the internet. From the swishest company site, to the jankiest homepage, to the most self-indulgent blog, every website on the net is like a piece of land - and every piece of land has an owner. The “address” to this land is the domain name. So if you investigate that domain right, it could lead you straight to the landlord’s door.

In this issue, we’re exploring domain OSINT; one of the most useful (and most misunderstood) starting points for investigation. We’ll cover:

• What domains can actually tell you

• Beginner tools for domain OSINT

• How to pivot from domains to other intel

• A practical example of domain OSINT in action

By the end, you’ll know how to go from one innocent-looking URL to a whole new world of intelligence. It’s free real estate.

What is Domain OSINT?

Domain OSINT is pretty self explanatory; it’s the act of investigating a domain name and the infrastructure around it. It’s easy to assume that it’s just about “who owns this website?” - of course, that’s super important information to learn (and has cracked some very high-profile cases). But the intelligence value of the average address is much more than a less OSINT-savvy realtor would tell you. A domain connects to:

• Registrant information

• Hosting providers and IP ranges

• Subdomains and services

• Email infrastructure

• Historical versions of websites

• Other domains owned by the same entity

What can I actually learn from a domain?

Pretty much anything. Each of the above points of data you can get from a domain also have a corresponding intelligence use. After all, in super pretentious terms, a domain is a behavioural artifact: someone registered it, configured it, hosted it, maintained it, and used it for a purpose. Every one of those decisions leaks information, like layers of old wallpaper that tell you your house’s walls used to be puke-green. You can uncover:

• Ownership: When the owner of the site got the domain, they likely had to provide the hosting provider with some identifying data: an email address, a real name, or the name of an organisation they’re connected to. You can get this data.

• Connected Sites: Any subsidiaries, backups, or even scammy clones of the target domain. They could also be hosting the page within another site, or own other sites under the same personal ID - which shows up a clear link to other activity.

• Email Activity: Some domains allow email hosting. A hosted email address has obvious pivot potential; you can look at MX records, plus all the other stuff we covered in our previous email issue.

• Hosting Behaviour: Are they using a cheap hosting provider? Or maybe it’s bulletproof hosting, or even sophisticated enterprise infrastructure? The type of hosting your target domain uses can indicate the purpose (and dodginess) of the site.

  • Also consider operational maturity: a fancy term for ‘how long it’s been there.’ A newly-created site might be used like a burner phone, whilst a long-established asset domain might suggest legitimacy.

• Geographic Location: You can use the address to find out where the domain is hosted; just look at the country code at the end. Also, the language used will tell you who wrote it, and who the intended audience is.

Of course, it’ll still take some classic investigator’s instinct to turn this information into insights. But even the most elusive info - intent, for example - is discoverable once you’ve got this know-how. Say you find a domain built yesterday, hosted on a bargain VPS, with no history and several clones… It’s easy to see how that could become evidence.

Beginner Tools for Domain OSINT

Now we know what domain OSINT can do, we can get into the tooling. You don’t need anything elite or expensive; our basic toolkit is all free (or freemium), fast and extremely effective.

🌐 WHOIS Lookup

WHOIS lookup is synonymous with domain OSINT. WHOIS search is a handy protocol that lets you search databases for information about registered users of domain names and IP addresses. That includes their contact details, the date they got the address, and more. You can also look into historical WHOIS data; ownership changes over time are often more interesting than current data.

🧱 DNS Tools

Tools like DNS Dumpster and SecurityTrails go through DNS records and associated infrastructure. Give them a hostname, and they’ll reveal subdomains, DNS changes, name servers, and any other associated digital assets the domain owner forgot to take down. In addition, you can also get statistics, like how many other hostnames have the same IP.

🔁 Reverse IP Search

Reverse IP search can show you what else is hosted on the same server as your target domain. Often, people will reuse cheap hosting servers; it’s common in networks of scammers, for example. Infrastructure reuse will betray any hidden relationships.

📜 The Wayback Machine

Want to know what a site used to look like? Check it out on the Wayback Machine. The Internet Archive stores captures of sites from the past, so you can see previous versions. You might find old branding, evidence of previous owners, or deleted content. Sudden pivots (e.g. from “crypto project” to “consultancy”) are classic red flags.

📧 Email Infrastructure Checks

MX records show how the site handles email. Usually, they’re used to check if an email address is fake without sending a humiliating (or dangerous) bounceback message. However, they can do even more for domain OSINT, too. Find out which email provider they use, and whether the email works at all. A “professional” company with no proper email setup is… suspicious.

Example: Domain OSINT in Action

Let’s test our skills on an example. Imagine you’ve found a site from a company offering “international geomarketing services”. Their website is slick - full of stock photos of serious people in suits staring at maps. The domain address: red-ball-market-global.com.

You’ve called their phone number, but you’re on hold. So while you’re waiting, you do a little domain OSINT.

Step One: WHOIS Check

You plug the address into a WHOIS search, hoping to find registration details. The domain itself was registered 11 days ago via a budget registrar, which does seem suspicious for a legitimate “global” firm. They’ve also enabled privacy protections, so no contact details.

Step Two: DNS and Subdomains

You run a DNS enumeration, and turn up some results for connected subdomains: mail.red-ball-market-global.com, and portal.red-ball-market-global.com. Mail does exist - and explains the email you received. Portal redirects you to a generic login page.

Step Three: Reverse IP Search

Reverse IP search shows four other domains on the same server as red-ball-market-global.com:

• tecca-corp.com

• tamblays-for-menswear.com

• amazing-crypto-opportunity.net

• calicocutpants.com

None of these are older than two months, and their relevance to “international geomarketing” is… weak. Clearly, the original red-ball site’s owner has a diverse business portfolio. Too diverse to trust.

Step Four: Wayback Machine

In the Internet Archive, you uncover a previous version of red-ball-market-global.com. A year ago, it was selling cheap office furniture under the ‘Red Ball’ name; with Trustpilot reviews in the dirt. This confirms that you’re looking at the operator’s latest scam, not a legitimate global agency.

So, red-ball-market-global.com is one big, red, spherical flag. But at least their hold music was catchy.

Key Takeaways

Hopefully, you’ve now got your first step on the OSINT property ladder. You should know:

• Who owns the internet? Domain registrars, that’s who. Every site has an owner, and every owner has their details stored somewhere.

• Landlords exist: Some people have multiple sites. Connecting them is key.

• Patterns are pivots: Even if the contacts are privacy protected, you can still analyse the target’s behaviour around a domain.

• It’s free real estate: Domain tools are free, and good enough to get results.

See you next issue, investigators!

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issues 91 and 92 of The OSINT Newsletter and explores how investigators are actually using AI today, how new OSINT methods are discovered, and which tools are quietly changing how modern investigations get done.

In Episode 11 of the OSINT Podcast, host Jake Creps breaks down practical AI workflows, realistic prompting strategies, and the growing toolkit of AI-assisted OSINT tools. The conversation then shifts into how new OSINT methods emerge, why most of them expire, and what separates useful research from gimmicks.

Along the way, Jake also highlights current OSINT news, privacy risks in mobile data, and several standout tools for username investigation, massive file analysis, and understanding how large language models really work.

Highlights include:

🤖 OSINT With AI in Practice – what AI is actually good for in investigations, including summarisation, extraction, cross-referencing, translation, and pattern discovery, and why it works best as a junior analyst rather than a replacement investigator.

🧠 Prompting Like an Investigator – how to structure prompts using roles, tasks, rules, and output formats, why vague prompts cause hallucinations, and how to force accuracy by telling AI not to guess.

🛠 The AI OSINT Toolkit – a practical look at general-purpose LLMs, visualisation and mapping tools, archive and capture tools like Hunchly, and large-scale data processors for leaks and document dumps.

📂 Feeding Massive Files to AI – how tools like AIWhisperer let you analyse huge documents while chunking data and reducing what gets exposed to cloud models.

🔍 Username OSINT With Image Extraction – a deep dive into tools like The Big Brother that combine username enumeration with image scraping and reverse image search.

🧩 Understanding LLM Inputs and Constraints – why tools like LeakHub are useful for seeing the hidden system rules that shape AI responses and how better understanding inputs leads to better outputs.

🕵️ OSINT News and Methods in the Wild – analysis of high-profile investigations, mobile ad-data privacy risks, and how researchers are sharing sources and methods without crossing ethical lines.

🧪 How New OSINT Methods Are Discovered – an inside look at how investigators actively and passively find new techniques, why most methods decay over time, and how real innovation usually comes from tool builders and field researchers.

📸 Pioneering New Analysis – emerging areas like extracting fingerprints from images, analysing audio for attribution, and pushing beyond traditional collection-only workflows.

Throughout the episode, the focus stays on practical workflows over hype, clear instructions over magical thinking, and evolving skillsets over static tool lists.

If you want to work faster, waste less time on grunt work, and actually integrate AI into real OSINT investigations without embarrassing yourself, this episode is your starting point.

References

OSINT Newsletter – Issue 91
OSINT Newsletter – Issue 92

AIWhisperer | LeakHub | The Big Brother

Analysing Footage of Minneapolis ICE Shooting | Mobile Ad Data Privacy Risks

How to Discover New OSINT Methods | Pioneering New Analysis Techniques

• Sharing sources and methods for high profile investigations

• Privacy risks in mobile ad data

• Automating large file analysis with AIWhisperer

• A user friendly, beginner friendly OSINT tool directory

• Behind the curtain on LLM inputs

• Username OSINT with image extraction

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ The Investigator’s Best Friend: OSINT With AI

Let’s get started. ⬇️

OSINT News

📰 Analysing Footage of Minneapolis ICE Shooting

If you caught the last episode of the podcast, I talked about sharing methods you used in high profile cases to help enrich the OSINT community. Here’s an example. No doxxing. Just sources and methods.

Read on Bellingcat…

🎩 H/T: Jake Godin

📰 Your Phone is a Tracking Device, and the Government (and Others) are Buying and Using the Data to Find You

A tale as old as time. Companies are getting a hold of your mobile information, often through advertisement networks and other mobile applications, aggregating it, and selling it to the government (or worse). If you aren’t familiar with this risk, read up on it here.

Read on Tate’s Online Safety Community…

🎩 H/T: Tate Jarrow

📰 Introducing AIWhisperer. Feed massive files to AI with less data exposed

I’ve run into this problem; you’ve run into this problem. You upload an attachment to your favorite LLM and it says the attachment is too large. You have to find a way to break it into smaller chunks. That sucks. Also, you have to redact information you don’t want uploaded to the cloud. AIWhisperer does both of these for you at the same time. Enjoy.

Read on Digital Digging…

GitHub

🎩 H/T: Henk Van Ess

OSINT Tools

🔎 OSINT Investigator’s Toolkit

This is a beginner-friendly collection of OSINT tools that features both free and paid tools. It’s another directory; however, it has a search engine which makes tools easier to find. If you’re new to investigations, there’s a lot of staples here.

Web App

🔎 LeakHub

Warning: This tool is pretty niche. If you’re curious about how LLMs work behind the scenes, LeakHub shows you the guidelines LLMs have to follow when fulfilling your request. The web page is missing an description but their GitHub page has more details. This is useful because the better you understand the inputs, the better you can control the outputs.

Web App

🎩 H/T: pliny

🔎 The Big Brother

This is a username tool on steroids. Not only does it fetch profiles with matching usernames, it also extracts images from those profiles and provides you with search engine results for those images. I’d love to see this tool integrate OLlama for more analysis, though.

GitHub

🎩 H/T: Chadi

🏁 Missing Christmas Challenge

No one has solved last weeks CTF and so we will not be revealing the answers. This weeks challenge is a lot easier, a simple geolocation challenge.

Capture the Flag

🪃 If you missed the last CTF, here’s a link to catch up.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ How I Discover New OSINT Methods

• Follow along as I show you how I discover new methods both in collection and analysis. I have a heavy bias towards the former, though. Use these methods to build your own tools or use them for good like in missing persons investigations.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

• Prompting: How to “Talk” to AI

• The AI Team: Tools for AI OSINT

• Example: OSINT with AI in Action

🏁 New CTF Challenge Live - The Missing CEO (3 Part)

A new CTF challenge has been posted on our CTF website. This weeks CTF was designed by @foilmanhacks and is very challenging.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last weeks CTF challenge was an image analysis challenge called (Nothing to See Here) answer: Steghide was used to extract an embedded secret.txt from the JPEG (password found via rockyou.txt), the message pointed to the nearest campsite and warned about a Bosnia name decoy, and the terrain/coastline were matched on maps to pinpoint the viewpoint and identify the closest campsite as Campingplatz Vucine for the flag.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Why OSINT Certifications Aren’t Worth It and What to Do Instead

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

OSINT data isn’t always user-friendly; it can be a hostile landscape of scattered sources, dense PDFs, super-long social threads and dodgy data leaks. Often, the main challenge is sorting out what’s actually helpful, and doing it fast enough to be useful.

That’s where AI comes in. At the moment, it seems like many people don’t love it- probably because they don’t do OSINT. If you’re an OSINT investigator, AI is your best friend… and in this issue, we’ll show you how to use it.

We’ll cover:

• How to “talk” to AI

• Essential AI tools (that actually work)

• How to get accurate, repeatable results

• And an example of AI in action

By the end, you’ll have met your new research assistant, and worked it into your workflow. Let’s get acquainted.

What Can AI Do For Me?

Well-deployed AI is extremely reliable and useful. It can:

• Read and summarise more text than a human can

• Draw out patterns or contradictions in data

• Extract specific types of data

• Cross-reference with other sources

• Translate foreign languages (at a basic level)

• Come up with fresh angles or unexpected pivots

In other words, AI lets you dump the time-consuming (and dull) parts of OSINT off onto a machine, leaving you free to focus on the important stuff. But of course, even a machine can’t do everything. AI can handle grunt work, but it won’t replace you or your typical OSINT tools. You still need the traditional tools to discover data, while AI helps you understand, present and use that data more effectively.

Prompting: How to “Talk” to AI

Although it seems like AI can speak any human tongue, it’s not the same as a person. You have to use its “language”: also known as prompting.

A prompt is a command that tells the AI what to do. AI follows instructions literally, so a good prompt gives good results. If you’re vague, the system will try to work out a solution by itself - usually with assumptions or just making things up. Think of it like a junior analyst who works incredibly quickly, but needs clear instructions so they don’t mess up. Or start hallucinating.

A good prompt usually follows this structure:

• The role: who the AI should act like (e.g., “as an OSINT analyst”).

• The task: what you want it to do (e.g., “extract all names from this document”).

• The rules: what it should and shouldn’t do while completing the task (e.g., “cite sources,” “base all conclusions on the text”).

• The output format: how you want the results delivered (e.g. “as a table”)

Why Do the Responses Still Suck?

If you’re clear about what you want, you’ll usually get it. But even if you think you’ve put in a good prompt, it might need a little refinement. Try these strategies.

Tell the AI Not to Guess: Add a line like: “If any information is missing or unclear, respond with ‘unknown’ rather than guessing.” This dramatically improves accuracy during investigations, and prevents hallucinating.

Break It Down: Instead of bombarding the AI with a string of complex instructions, break the task into little bits - each a separate query. Ask step-by-step: eg. 1. Extract detail, 2. Identify relationships, 3. Highlight inconsistencies - and so on.

Iterate: Work out what works for you on a tool-by-tool basis. If the output isn’t perfect, change your input. Ask follow-up questions. Provide examples. Try phrasing things differently… Then stick to whatever gets results.

The AI Team: Tools for AI OSINT

As you know, pro OSINT isn’t done with just one tool - it takes a whole team to make the dream work. Each one handles a different type of data: we’ve discussed AI image tools before, for example. We love it when an AI OSINT toolkit comes together, so try adding these AI-powered tool types to your loadout.

🤖 General-Purpose AI Analysts (ChatGPT, Claude)

These large-language models (LLMs) are like an extra brain to add to your investigation. On a basic level, they’re machine learning systems that work with text; so if you give them human language material (text or documents, for example), they’ll process it fast and return results.

They’re especially good at:

• Summarising long docs with a succinct precis

• Extracting data points like names and dates

• Spotting suspicious details or unobvious inconsistencies

• Creating strictly structured reports

Being the vanilla version of AI, these models are far from perfect. But with high quality prompts - and if they stick to what they’re good at - they’ll be extremely effective co-investigators.

🎨 Visualisers and Mapping Tools (Maltego, OSINT Industries Palette)

Visual investigation tools (like Maltego or OSINT Industries Palette) show how different pieces of information connect to each other within the context of your investigation - like a digital evidence board from a serial killer movie. And with the extra helping hand from AI, these tools get even stronger.

These tools can:

• Visualise links between data points

• Automatically add detail with AI-generated summaries

• Get a clearer understanding of complex investigations

If you’re working on a case with lots of parties involved and are struggling to make links, these OSINT AI tools will straighten out the threads.

Archive and Capture Tools (Hunchly)

AI OSINT investigation tools don’t just help you understand what you’re investigating; they can also help you archive and present it. Apps like Hunchly will automatically record every page you visit during your investigation, taking all the drudgery out of archiving.

They can:

• Collect the URL, timestamps, and hashes of every page you visit

• Make full-page captures of pages

• Categorize and tag captures (with search function)

• Assemble findings into court-ready reports

They’re ideal for long investigations, and save you having to hunt through tabs or untitled files for that one screenshot you need. With OSINT AI tools, your investigation can be fully sourced and documented - no matter how much you browsed.

Large-Scale Data Processors (Elastic AI, Haystack)

Sometimes, OSINT work gives you huge quantities of data to sift through. From giant text dumps, to large leaks, and groups of thousands of documents, large-scale data processors allow you to blitz through tons of data all at once.

These tools allow you to:

• Search for keywords, and contextual searches

• Group similar documents

• Spot recurring themes and data points

Large-scale data processors are great for large-scale investigations, as their name suggests. If you have data you could never process manually (or handle with an LLM), try these.

Example: OSINT with AI in Action

Imagine someone named Astra Velorin connects with you on LinkedIn. Their profile is mysterious: listing their title as ‘Ambassador for the Outer Spiral Arm’, and they’re offering you a job as an ‘Abduction Assistant’. Are they a genuine alien, or a particularly inventive scammer? Time to investigate - with AI.

Step One: Analyse the Profile

You paste Astra’s bio into an AI model - good old Chat GPT, in this case - and ask it to look for any other instances of the phrase “Ambassador for the Outer Spiral Arm” online. It brings up a sci-fi fan site, suggesting where the idea was lifted from.

Step Two: Generate Pivots

You write a clear, concise prompt: “show me a list of three follow-up checks to verify whether this profile is genuine.” ChatGPT returns a clear list of contextualised next steps:

1. Search for username reuse on gaming or role-play forums

2. Check if the “Interstellar Embassy” has a registered address

3. Reverse-image search their profile photos

You use image AI tools to follow-up on the latter - and find all the images come from an art subreddit.

Step Three: Examine Their Documents

To pique your interest in the position, Astra sends you a lengthy PDF titled First Contact Proposal. Instead of wasting time on reading it, you run AI analysis on the text, and find it’s an exact match for a well-known sci-fi novel. It’s also stylistically inconsistent with Astra’s LinkedIn posts, which are mostly about marketing.

Step Five: Summarise

You use your AI tools to create a clear summary of the investigation so far. Luckily - even though the investigation took you across the internet - everything is automatically archived. Leaving you with verifiable proof that Astra is not an extraterrestrial diplomat - just a bored nerd.

You reject the offer and remain on Earth.

Key Takeaways

Now you’ve met your new assistant! This issue should have taught you:

• Your job is safe: AI won’t replace your investigative skills - just support them.

• AI is dumb: It works best on straightforward tasks, with clear instructions.

• Use many tools: each one is good for a different job.

• Don’t waste your life: with AI, there’s no excuse to lose time on grunt work.

See you next issue, investigators!

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

This episode covers Issue 90 of The OSINT Newsletter and focuses on how OSINT actually gets done in 2026, from investigating developer platforms and deobfuscating messages to building real world credibility without certifications.

In Episode 10 of the OSINT Podcast, host Jake Creps digs into practical investigative techniques and long term skill building. The conversation moves fluidly between tools, methodology, and career advice, showing how investigators can stay effective in a field that changes faster than any syllabus.

Highlights include:

💻 Investigating GitHub Profiles – why contribution graphs can be misleading, how to properly analyze commit history, branches, and activity, and what GitHub can reveal in real investigations.

🤖 Local AI Inside OSINT Tools – a look at tools like God’s Eye that run AI locally using Ollama, enabling private, zero cost analysis without sending data to third parties.

🕵️ Deobfuscating Telegram Messages – how spoiler text and pseudo braille obfuscation works on macOS, and how hidden messages can still be recovered from screenshots and screen shares.

🖼️ Face Recognition and Reverse Image Search – navigating an increasingly paywalled ecosystem and evaluating alternatives for investigators on a budget.

📬 Gmail Addresses as Identifiers – why the ability to change Gmail addresses could weaken email as a long term unique identifier and what that means for attribution.

🍌 Nano Banana vs AI Detection – how new generative models are outpacing detection systems and why AI validation is becoming harder, not easier.

🎓 Why OSINT Certifications Aren’t Worth It – a candid discussion on why certifications often lag behind reality, and what to do instead to build credibility.

Throughout the episode, the emphasis stays on results over credentials, adaptability over static training, and learning by doing rather than memorizing outdated playbooks.

References

OSINT Newsletter - Issue 90

God’s Eye | Telegram Spoiler Decoder | Surfface

GitHub Commit History is Misleading | Changing Gmail addresses | Nano Banana vs AI

• Investigating GitHub profiles

• You can change your Gmail address?

• Nano Banana ruining the internet

• Local AI inside of GitHub OSINT tools

• Deobfuscating Telegram messages

• Face recognition reverse image search

Over the past few weeks we have posted 6 CTF challenges as part of the OSINT Newsletter CTF. A new challenge is now live on the CTF website. You can sign up and compete now.

Here are the answers to those challenges:

Operation Jaguar

Challenge #1: The Jaguar Building - Google Lens on the building locates it as the Cartier shop in London.

Challenge #2: The Mystery Car - Reg plate obtainable from user submitted 360 view footage from Google Maps.

Challenge #3: Vehicle Attribution - Information available from the UK’s MOT website.

Challenge #4: Looking Back - Vehicle damage history (partially) available from MOT website.

Operation X

Challenge #1: Twitter Account Geolocation - Using the CLI tool to export the data, 60% of the recent RT’s come from Europe or European counties.

Operation History

Challenge #1: Past is Prologue - Using wayback machine we can find the earliest recorded snapshot of the osintpodcast.com. Then, using developer tools to view the source code of the page we can see multiple mentions of “assets.buzzsprout.com” and other code snippets mentioning the Buzzsprout service.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Investigating X Account Locations at Scale

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Let’s get started. ⬇️

OSINT News

📰 GitHub Commit History is Misleading

This is not OSINT-related per se; however, if you discover a GitHub profile during your investigation that seems to be dormant (the commit history is completely gray), you might be making a mistake. Before closing your tab, make sure to look at all of the commit history and other activity first.

Turns out, contributions to branches other than main don't show up in the contribution graph (until you merge). Good to know for anyone else wondering why their activity isn't reflected accurately! 

🎩 H/T: Emrah Nazif

Read on LinkedIn…

📰 You may soon be able to change your Gmail address

Soon, Gmail users might be able to change their email address. This is pretty significant considering that, similar to usernames, the uniqueness of an email address as a personal identifier might be weakened, specifically with Gmail.

A Google support page in Hindi says the feature is "gradually rolling out to all users."

🎩 H/T: Will Shanklin

Read on Engadget…

📰 Nano Banana Pro vs AI Detection; Who’s the human here?

In September, I wrote a post about testing AI detection against existing models. Google’s Nano Banana was released in August and it’s becoming a big problem. Jonathan tests out the new model against existing detection models I didn’t cover in my previous issue.

🎩 H/T: Jonathan Hatzbani

Read on LinkedIn…

OSINT Tools

🔎 God’s Eye

AI is so accessible that it’s even making its way into free OSINT tools. God’s Eye is a subdomain enumerator (among other features) that uses a local AI (Ollama) to do analysis for vulnerabilities and produce reports.

Zero-cost local AI with Ollama for intelligent vulnerability analysis, CVE detection, and executive reports. 100% private.

GitHub

🎩 H/T: Vyntral

🔎 Telegram Spoiler Decoder

If you’re on a Mac, the Telegram can display text that looks like braille. It’s a unique way of obfuscating text; however, like other methods, you can still reveal the plaintext behind it.

Telegram client on MacOS sometimes displays text under spoiler as pseudo-braille characters. In such cases, if you share your screen or take a screenshot, the hidden text can be recovered!

Web App

🎩 H/T: Soxoj

🔎 Surfface

Surfface is another reverse image search that uses face recognition to identify people. With Pimeyes and Facecheck.id going behind the paywall, investigators on a budget are always looking for new tools that don’t require a card on file (or a crypto transaction).

🗒️ You have to spoof your location to use the tool. I set my VPN to a Russian IP.

Web App

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

⚡ Why OSINT Certifications Aren’t Worth It and What to Do Instead

• OSINT certifications are expensive and the training associated with them is often outdated. In this issue, I step through what I did to build my resume in OSINT. I don’t have any certifications.

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry there’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.

Read more

From image analysis and shadow investigation to offline sources and large scale platform analysis, this episode covers Issue 88 and 89 of The OSINT Newsletter.

In the ninth episode of the rebooted OSINT Podcast, host Jake Creps explores how modern OSINT investigations increasingly rely on context, methodology, and synthesis rather than just tools alone. The discussion moves from pixels and shadows to books, archives, and social platforms, showing how investigators can widen their field of view without losing rigor.

Highlights include:

🖼️ Image OSINT That Goes Beyond Tools – why reverse image search is only the starting point, and how faces, objects, backgrounds, and reflections all become investigative pivots.

🎨 The Full Paintbox – a practical breakdown of when and why to use Yandex, PimEyes, Lenso.ai, TinEye, Google Lens, and Bing Visual Search together rather than in isolation.

🧠 Priming Images for Better Results – background removal, smart cropping, and AI restoration techniques that dramatically improve search outcomes.

🌑 Investigating Shadows – how tools like ShadeMap can be used to chronolocate images when time or place is missing, and where the limits of shadow analysis lie.

📚 Offline OSINT – why some of the most valuable intelligence still lives in obscure books, fringe publications, and physical archives, and how to integrate them into modern workflows.

🎭 Office Stunt Doubles – a discussion on visual misdirection, room doubles, and how small photographic details have been used to infer high level locations.

🌐 Searching for Groups – exploring emerging tools like Waybien and the ongoing challenge of discovering Telegram, Discord, WhatsApp, and Facebook groups at scale.

📊 Investigating X Account Locations at Scale – a walkthrough of a custom browser extension that collects quotes and retweets, extracts account locations, and outputs structured data for influence analysis.

🔮 OSINT Trends for 2026 – AI content validation, agentic AI, and synthetic influence campaigns, and what investigators should prepare for going into the new year.

Throughout the episode, the focus stays on tradecraft over hype, emphasizing methodology, limitations, and ethical considerations at every step.

References

• Image OSINT That Goes Beyond Tools (Issue 88)

• OSINT Trends for 2026 | Office Stunt Doubles | Offline OSINT (Issue 89)

• Anna’s Archive | ShadeMap | Waybien

• Investigating X Account Locations at Scale