OSINT - Intelligence notes

# Open Source Intelligence (OSINT) ## Core Definition (BLUF) **Open Source Intelligence (OSINT)** is the systematic collection, processing, and analysis of information derived from **publicly available sources** to produce actionable intelligence. It constitutes one of the five core intelligence disciplines (alongside HUMINT, SIGINT, IMINT, and MASINT) and has become the **dominant collection vector** of the digital age — both for state intelligence services and for non-state actors including investigative journalists, academic researchers, and hacktivist groups. OSINT's strategic value derives not from access to secrets, but from the analytical capacity to identify signal within the vast, open noise of the information environment. ## Epistemology & Historical Origins The systematic exploitation of open sources predates the digital era. During World War II, the US Foreign Broadcast Intelligence Service (FBIS, predecessor to today's Open Source Enterprise) monitored foreign radio broadcasts as a primary collection tool. The Cold War saw the CIA's Foreign Broadcast Information Service and the British BBC Monitoring Service institutionalise open source collection as a permanent intelligence function. The digital transformation accelerated OSINT's primacy along three vectors: 1. **Democratisation of publication (Web 1.0–2.0):** Governments, corporations, militaries, and individuals began publishing vast quantities of operational information online — inadvertently creating an exploitable open-source record. 2. **Social media as real-time sensor network (2008–present):** Twitter/X, Telegram, Facebook, Instagram, and TikTok transformed global populations into de facto sensor networks, generating real-time visual, locational, and narrative intelligence from conflict zones with no state investment. 3. **Commercial satellite and geospatial proliferation (2015–present):** Providers like Planet Labs, Maxar, and Sentinel-2 (ESA) made high-resolution satellite imagery commercially available — previously a monopoly of state intelligence — enabling sub-24-hour imagery analysis of any location on Earth by civilian analysts. ## Operational Mechanics (How it Works) Professional OSINT collection and analysis follows a structured methodology: **1. Requirements Definition** Define the intelligence question. OSINT collection without a requirement generates data, not intelligence. Key questions: What decision does this intelligence need to support? What is the confidence threshold required? **2. Source Identification & Collection** Map the source landscape for the target. Categories include: - **Web/social media:** Open web, social platforms (Twitter/X, Telegram, VKontakte), forums, paste sites - **Geospatial:** Commercial satellite imagery (Planet, Maxar, Sentinel), Google Earth historical imagery, ship/aircraft tracking (MarineTraffic, FlightRadar24, ADS-B Exchange) - **Financial/corporate:** Company registries, EDGAR SEC filings, Offshore Leaks database, Panama Papers, beneficial ownership registries - **Government/official:** Court filings, procurement databases, official gazettes, parliamentary records, sanctions lists (OFAC, UN, EU) - **Academic/technical:** ArXiv, SSRN, IEEE, patent databases - **Darkweb/gray:** Onion services, ransomware leak sites, cybercriminal forums (requires OPSEC discipline) **3. Verification & Cross-Referencing** Raw open-source data is inherently unreliable. Verification discipline requires: - **Source triangulation:** Minimum three independent sources for any factual claim - **Provenance tracing:** Identify original source, not republication chain - **Metadata analysis:** EXIF data (GPS coordinates, device, timestamp) on images and videos - **Geolocation/chronolocation:** Matching terrain features, sun angles, vegetation, architecture against known databases to verify claimed locations and dates - **Reverse image search:** TinEye, Google Images, Yandex (superior for conflict zone imagery) **4. Structured Analytical Techniques (SATs)** Apply analytical frameworks to produce assessments, not just data summaries: - Analysis of Competing Hypotheses (ACH) - Key Assumptions Check - Red Team / Devil's Advocacy - Confidence calibration (explicit probability language) **5. Dissemination** Package intelligence for the consumer. Format follows consumer needs — not the analyst's preferences. Raw intelligence reports, finished assessments, and visualisations serve different decision-making contexts. ## Modern Application & Multi-Domain Use **Kinetic/Military:** Military OSINT cells (including Ukraine's volunteer OSINT network, which dramatically enhanced Ukrainian targeting in 2022) aggregate social media, satellite imagery, and commercial telemetry to track enemy unit movements, identify logistics chokepoints, and conduct battle damage assessment. Commercial OSINT firms (Bellingcat, Maxar, Planet) have become de facto tactical intelligence providers in conflicts where state intelligence agencies cannot or choose not to publish. **Cyber/Signals:** OSINT is the foundation of threat intelligence in cybersecurity. Attack surface mapping (Shodan, Censys, FOFA for internet-facing assets), threat actor profiling (via dark web monitoring, GitHub repository analysis, malware sample databases), and infrastructure attribution (passive DNS, WHOIS, certificate transparency logs) are all OSINT tradecraft applied to cyber domains. **Cognitive/Information:** OSINT underpins disinformation detection and attribution. Network mapping of inauthentic account clusters (via tools like Gephi, Maltego), narrative origin tracing, and cross-platform coordinated behaviour analysis are the methodological core of organisations like the Stanford Internet Observatory, EU DisinfoLab, and the Atlantic Council's Digital Forensic Research Lab (DFRLab). ## Historical & Contemporary Case Studies **Case Study 1: Bellingcat — MH17 Attribution (2014–2016)** Using exclusively open sources — social media posts, satellite imagery, Russian military vehicle identification markings, geo- and chronolocation of photographs — Bellingcat produced a forensic attribution of the shoot-down of Malaysia Airlines Flight MH17 to the 53rd Anti-Aircraft Missile Brigade of the Russian Armed Forces. This preceded and exceeded official Dutch Safety Board findings in specificity. Established OSINT's capacity to attribute state military operations to a standard approaching intelligence community conclusions. **Case Study 2: Ukraine War Real-Time OSINT (2022–present)** The 2022 Russian invasion of Ukraine became the most OSINT-documented conflict in history. Volunteer analyst networks (OSINT Ukraine, GeoConfirmed, IntelliGence) geolocated thousands of military units, tracked convoy movements via TikTok and Telegram, identified war crimes sites, and conducted battle damage assessment via commercial satellite imagery within hours of events. Demonstrated that OSINT at scale can function as a distributed tactical intelligence apparatus. **Case Study 3: Offshore Leaks — Financial Intelligence (2013–present)** The Panama Papers (2016), Pandora Papers (2021), and FinCEN Files (2020) demonstrated OSINT's capacity to penetrate financial opacity through systematic exploitation of leaked corporate and banking records. The analytical methodology — entity resolution across millions of records, beneficial ownership graph construction, cross-referencing against sanctions lists and PEP databases — has become a standard framework for financial intelligence and investigative journalism. ## Intersecting Concepts & Synergies **Enables:** [[Human Intelligence]] (HUMINT) targeting, [[Signals Intelligence]] (SIGINT) cueing, [[Counterintelligence]] (target identification), [[Algorithmic Warfare]] (feed enrichment), [[Investigative Journalism]], [[Threat Intelligence]] **Counters/Mitigates:** [[Information Asymmetry]], State opacity, Propaganda (through independent verification), [[Disinformation]] (via provenance analysis) **Vulnerabilities:** OSINT is acutely vulnerable to adversarial manipulation of the open-source environment — deliberate seeding of false imagery, spoofed metadata, manufactured social media consensus, and strategic leaks of selectively curated authentic information. State actors with sophisticated **Active Measures** programs have developed OSINT poisoning as a deliberate discipline. Additionally, the analytical capacity of OSINT practitioners varies enormously; low-rigour OSINT analysis can produce false confidence in incorrect conclusions — a worse outcome than acknowledged ignorance. ## Key Connections - [[02 Concepts & Tactics/Counterintelligence]] - [[02 Concepts & Tactics/Guerra Cognitiva e Desinformação Algorítmica]] - [[02 Concepts & Tactics/Information Operations]] - [[02 Concepts & Tactics/Advanced Persistent Threats]] - [[02 Concepts & Tactics/Hybrid Warfare]] - [[08 Guides & Manuals/Operational Manuals/Open-Source Intelligence Manual v2|Open-Source Intelligence Manual v2]]