👋 Welcome to the 97th issue of The OSINT Newsletter. This issue contains OSINT news, community posts, tactics, techniques, and tools to help you become a better investigator. Here’s an overview of what’s in this issue:

• Introduction to IP addresses.

• How to investigate an IP address.

• A step-by-step process for IP investigation.

🪃 If you missed the last newsletter, here’s a link to catch up.

⚡ Organizing Information and Avoiding Duplication of Effort

The OSINT Newsletter - Issue #96

The OSINT Newsletter

·

Feb 26

Read full story

🎙️ If you prefer to listen, here’s a link to the podcast instead.

Episode 13 - Geolocation Mastery and Organizing Your Investigations

The OSINT Newsletter

·

Feb 28

Read full story

Let’s get started. ⬇️

The internet is like a big mail service. Every time somebody logs into their account, clicks on to a link or loads up a site, the data for that action gets parcelled up and shipped across the web. If domains are street names, IP addresses are the house numbers that actually direct the parcels to the right home. And like regular mail, the whole process leaves a trace behind.

Of course, stealing people’s mail is a felony (and a great punk track) - but that doesn’t mean you can’t get valuable OSINT from tracking its journey. If you know how to read IP addresses, they can tell you where traffic travelled, what infrastructure handled it, and whether someone tried to hide the sender.

In this issue, we’re following the packets. We’ll cover:

• The basics of IP addresses

• How IPs can change (and why that matters)

• Reverse IP lookups

• Geolocation with IPs

• ..plus all about VPNs and Tor traffic.

Now, let’s check the labels.

What Is an IP Address?

An IP address (short for Internet Protocol address), is a numerical identifier assigned to each device or server connected to a network. Think of it like a shipment number. It can either look like:

• IPv4: The old faithful. Appears as four blocks of numbers separated by dots, e.g. 192.168.1.1.

• IPv6: The longer, newer format, becoming increasingly common as the internet runs out of IPv4 space. Appears as eight blocks of numbers separated by colons, e.g. 2001:0db8:85a3:0000:0000:8a2e:0370:7334

In OSINT terms, you can divide all kinds of IPs into two categories: User IPs, and Server IPs. A user IP belongs to a device connecting to a service. Meanwhile, a server IP belongs to infrastructure hosting websites, apps, or mail networks. Confusing the two is like mistaking a sender’s return address for a warehouse location.

IP addresses aren’t as stable an identifier as email addresses, for instance. But that’s OK; IP address OSINT is less about identifying individuals, and more about mapping the movement of data back to its source. Follow enough parcels, and you’ll find the depot.

Package Redirected: Why IPs Change, and What They Tell You

One of the biggest misconceptions in IP OSINT is assuming that IP addresses are permanent identifiers. Just because IPs are unique, doesn’t mean they can’t move from place to place. So why do IPs change, why does it matter… and once an IP changes, can you trace where it’s been?

Dynamic IP Addresses

Most average-Joe residential IP users are assigned dynamic IPs by their ISP (Internet Service Provider). These can change for a ton of reasons: after a router gets rebooted, for example, when a lease gets refreshed, or just over time. The most important thing to remember is that dynamic IPs get passed around between users. An IP that belonged to one person last month might belong to somebody else now.

Static IP Addresses

Businesses and hosting providers, however, usually use static IPs. These are longer-term allocations, tied to servers and infrastructure semi-permanently (emphasis on semi). However, when you see the same static IP appearing repeatedly, you can be reasonably confident you’re looking at a fixed point.

What IP Addresses Can Tell You

When Google alerts you that some stranger in France is suddenly using your login on an iPhone 12, they’ve gained this intelligence by checking the new French login IP address against the last 10 IPs you logged in from. Clearly, although an IP can’t tell you who did something online, it can tell you where, and with what device.

Overall, what IPs show you is the circumstances at the time an online activity took place. Was a login coming from a residential ISP? A data centre? A VPN provider? Or did multiple compromised accounts route through the same infrastructure - then suddenly switch to a totally different address? When paired with timestamps, old IPs help reconstruct movement patterns, and build up a theoretical narrative; like reading old postmarks to imagine a package’s journey.

Delivery Instructions: How to Investigate an IP

So, now you know why it’s worth investigating IPs, we can get to work on how. Some involve pro OSINT tools, but others are significantly more lo-fi. Let’s get into our favourite tips, tricks and techniques for investigating IP addresses.

Reverse IP Lookups

Reverse IP lookup - like reverse image search - flips the direction. Instead of asking ‘what IP does this domain use?’, you ask ‘what other domains are hosted on this IP?’. This is super useful when investigating scam networks and phishing campaigns.

To do it, plug the target IP into a passive DNS database, or an OSINT platform that supports reverse lookup (like Maltego). The results will bring up any domains associated with that address.

Hosting and Registration

Next, look for suspicious infrastructure. This could look like:

• Multiple domains sharing the same hosting

• Sudden bursts of activity (registering lots of domains at once, then none at all)

• Thematic similarities (crypto, “investment”, fake law firms etc.)

For example, if a single server IP hosts ten nearly identical “investment opportunity” websites registered within weeks of each other - especially on the same cheap VPS - then that’s a strong sign of unsavoury activity. Look up hosting and registration details with WhoIs searching.

That said, context still rules. Large hosting providers often place hundreds of legitimate websites on the same shared IP. In those cases, you’re looking at shared warehouse space, not necessarily shared ownership.

Geolocation

We covered IP geolocation a little in the last issue; it’s a way of identifying the country and often the city an IP is hosted in. It’s often inaccurate, and can’t pinpoint a specific address. So, think of it as narrowing delivery to the right city - not the exact doorstep.

However, it can still be useful - particularly for spotting inconsistencies. If a company claims to operate exclusively in one country but consistently routes traffic through infrastructure in another, for instance. Also look for repeated logins from the same location, and check if that matches with the IP geolocation result.

VPNs (Virtual Private Networks)

VPNs are a blessing and a curse for IP OSINT. When someone uses a VPN, the IP address you see belongs to the VPN provider’s infrastructure - not the user’s original connection. These VPN IPs often resolve to big data centres, too, making it tricky to tie down the user’s actual details.

There are ways to track if somebody’s using a VPN; rapid shifts between locations, for example. This is extremely useful if you need proof that a target is intentionally rerouting their traffic to avoid being detected.

Tor Nodes

Tor also adds another layer of complexity. The IP you see with a Tor browser is the target’s exit node, not the actual origin. Tor exit nodes are also completely public and rotate between users globally; so if you detect one, all it tells you is that the target didn’t want to be tracked. It doesn’t imply malicious intent, but it does tell you the package was deliberately relabelled before delivery.

Example: IP Address OSINT in Action

This time, imagine somebody has been making repeated attempts to log into your Strava account. If successful, they could hopelessly distort your PBs. All you know is that the logins originate from the same IP address. Let’s find out who’s running things.

Step 1: Identify the Owner

A Whois search shows that the login IP is registered to a regional consumer IP; a specific subscriber, on residential broadband. But where, and who?

Step 2: Analyse the Behavior

The IP is fairly consistent - with no jumping locations or ties to known exit nodes. That means the user isn’t attempting to hide their identity. The login attempts are also spaced irregularly, with pauses that resemble manual interaction rather than botting. So this is a real person.

Step 3: Geolocate

Cross-referencing multiple IP geolocation services places the IP consistently in western Ohio, near a cluster of rural towns. You’ve never been to Ohio. And you definitely haven’t been logging into Strava from there. An interesting detail: the region is known for its expansive cornfields.

Step 4: Reverse IP & Domain Check

A reverse IP lookup reveals two domains hosted to that same IP.

The first is a personal blog documenting endurance training experiments; one man pushing himself to run further and further in concentric circles without becoming dizzy.

The second, humanccohio.com, shows groups of runners arranged in geometric formations across harvested fields - what the author calls “human crop circles.” Metadata from the site aligns with the same western Ohio geolocation as the IP.

Step 5: Behavioral Context

The timestamps of the login attempts coincide with posts on the blog discussing “mapping local athlete data” and “identifying high-mileage runners nearby.”

Mystery solved: this is one guy in western Ohio, checking out Strava profiles in an attempt to recruit (or map) local athletes without their knowledge for his ‘human crop circle’ project. Weird.

Key Takeaways

Message delivered - now you know how to do OSINT with IP addresses. You should know:

• How delivery works: An IP is like a house number, it directs the data

• IPs change: Just because an IP is there now, doesn’t mean it’ll stick around

• Check the return address: reverse IP search is your most powerful tool

• Cross-reference everything: corroborate with behaviour to get the full story

See you next week, investigators!

🏁 New CTF Challenge Live - The Wi-Fi Password

A new CTF challenge has been posted on our CTF website. This week’s CTF challenge focuses on finding the password of a weird Wi-Fi using only open source intelligence techniques.

Start competing in our Capture the Flag (CTF)

🪃 If you missed the last CTF, here’s a link to catch up.

Last week’s CTF challenge featured a GEOINT challenge titled “The Unknown Bridge”.

Looking at the UAV in the image, we could see its number which is 166509.
Using bing browser and searching for “166509 flight” we could find a flight of this UAV on : flightaware.com/live/flight/166509
Looking at the tracking, we could see that it was last seen near Patuxent River MD, we could also notice the same airport as in the image which is Patuxent River (NHK)
On the left side of the airport we could see the same bridge as in the image which is named: Thomas Johnson.
By searching on Google : Patuxent River Bridge, we could see that the full name of the bridge was : Governor Thomas Johnson.

✅ That’s it for the free version of The OSINT Newsletter. Consider upgrading to a paid subscription to support this publication and independent research.

By upgrading to paid, you’ll get access to the following:

👀 All paid posts in the archive. Go back and see what you’ve missed!

🚀 If you don’t have a paid subscription already, don’t worry. There’s a 7-day free trial. If you like what you’re reading, upgrade your subscription. If you can’t, I totally understand. Be on the lookout for promotions throughout the year.

🚨 The OSINT Newsletter offers a free premium subscription to all members of law enforcement. To upgrade your subscription, please reach out to LEA@osint.news from your official law enforcement email address.