OSINT Toolkit Essentials - Intelligence notes

# OSINT Toolkit Essentials ## BLUF This guide catalogs the **essential OSINT tools** for intelligence analysts, investigative journalists, and researchers operating in the contemporary information environment. The toolkit has stabilized somewhat since the 2014–2022 period when new capabilities emerged monthly — the core set documented here represents the tools that have survived operational use and remain actively maintained. Every tool listed is either free, freemium, or subscription-based with transparent pricing; nothing here requires intelligence-agency access or paid-access closed platforms. Tool choice matters less than methodology (see [[08 Guides & Manuals/OSINT Methodologies/Source Verification Framework|Source Verification Framework]]); the best tools poorly applied produce worse results than basic tools rigorously applied. --- ## Mapping and Geolocation ### Primary | Tool | Purpose | Cost | OPSEC | |---|---|---|---| | **Google Earth Pro** | Historical satellite imagery; 3D buildings; measurements | Free | Google surveils queries | | **Google Maps Street View** | Ground-level verification; time slider | Free | Google surveils queries | | **Yandex Maps** | Superior Russia/CIS coverage | Free | Yandex surveils queries | | **Bing Maps** | Alternative satellite coverage; sometimes newer imagery | Free | Microsoft surveils queries | | **OpenStreetMap** | Community-maintained; strong conflict zone coverage | Free | Low-profile queries | | **Mapillary** | Crowdsourced street-level imagery | Free | Meta-owned; tracks queries | **OPSEC note:** Any query to Google/Yandex/Bing is logged and associable with your identity (via IP, cookies, account). For sensitive operations, use VPN + private browsing; or better, offline maps (OsmAnd on mobile). ### Specialized Geolocation - **SunCalc.net** — Shadow-based time/date calculation - **Pic2Map** — Basic EXIF extraction for location - **Google Earth Timelapse** — Satellite imagery over decades; useful for infrastructure development tracking - **Sentinel Hub EO Browser** — Free ESA satellite imagery archive; excellent for large-scale or historical questions - **Planet Labs Education** — Limited free tier; daily 3–5m imagery of the whole Earth See: [[08 Guides & Manuals/OSINT Methodologies/Geolocation Methodology|Geolocation Methodology]] for how to apply these tools. --- ## Image and Video Verification ### Reverse Image Search | Tool | Strength | |---|---| | **Yandex Images** | **Best for conflict-zone imagery** — frequently identifies images Western engines cannot | | **Google Images** | Broad coverage; good for Western-origin images | | **TinEye** | Oldest reverse image search; good for earliest instance detection | | **Bing Visual Search** | Alternative coverage | **Practice:** Always run at least two engines. A hit on Yandex but not Google often indicates Russian or Eastern European original source. ### Metadata Analysis - **ExifTool** (command line) — definitive EXIF/XMP metadata extraction - **Metadata2Go** — web-based EXIF viewer (upload image to third party — OPSEC consideration) - **InVID / WeVerify** — video-specific plugin suite for Chrome; keyframe extraction, reverse search on frames, metadata analysis ### Deepfake Detection | Tool | Notes | |---|---| | **Deepware Scanner** | Web-based deepfake detector | | **Reality Defender** | Commercial service; enterprise pricing | | **AI or Not** | Consumer-grade detection | **Reality check:** Detection is structurally one generation behind generation. Treat any detection result as probabilistic. Absence of detection is not proof of authenticity. --- ## Social Media Intelligence ### Twitter / X - **Native advanced search** — still works for basic queries; rate limits aggressive - **TweetDeck** (now X Pro, subscription) — monitoring multiple accounts - **Memo** (memo.tw) — archival search for deleted tweets (limited) - **Twint** / **snscrape** — open-source scrapers; frequently broken by API changes ### Telegram - **TGStat** — channel analytics and search - **Telethon** (Python) — programmatic Telegram access for OSINT pipelines - **Telegago** (Google custom search for Telegram) — workaround for Telegram's poor search ### Facebook / Instagram - **Who Posted What** (whopostedwhat.com) — date-filtered Facebook search - **Facebook Graph Search** — largely killed by Meta; limited alternatives - **Instagram Stories Anonymous Viewers** — multiple tools; OPSEC-variable quality ### TikTok - **TikTok native search** — surprisingly robust for public content - **TikTok Analytics Tools** — commercial services for engagement analysis - Use with VPN to avoid geographic filtering ### Cross-Platform Tools - **Hoaxy** — tracks URL propagation across platforms - **CrowdTangle** — RIP (Meta discontinued 2024); replacement tools less capable --- ## Financial and Corporate Intelligence ### Corporate Registries - **OpenCorporates** — 200+ million company records globally; free basic search - **OffshoreLeaks Database** (ICIJ) — Panama Papers + Paradise Papers + Pandora Papers searchable database - **EDGAR** (SEC.gov) — US public company filings - **Companies House** (gov.uk) — UK corporate records ### Sanctions Lists - **OFAC SDN List** (US Treasury) - **EU Consolidated Sanctions List** - **OpenSanctions** — unified global sanctions search - **UN Security Council Consolidated List** ### Financial Flow - **Hetman** — beneficial ownership research - **Investigative Dashboard** (ICIJ-related) — cross-reference corporate data --- ## Maritime, Aviation, and Transportation ### Ship Tracking - **MarineTraffic** — near-real-time AIS transponder data - **VesselFinder** — alternative AIS provider - **SeaSearcher** — historical vessel data **Dark fleets:** Ships that go dark (disable AIS) are a signal — Russian oil exports, sanctions evasion. OSINT integration of AIS gaps with satellite imagery is essential for tracking. ### Flight Tracking - **Flightradar24** — near-real-time ADS-B data - **FlightAware** — alternative with different coverage - **ADS-B Exchange** — uncensored (includes military aircraft that Flightradar24 filters) - **Planefinder** — additional source ### Rail / Logistics - **Less systematic coverage** — country-specific sources; significant OSINT gap for Russia/China rail intelligence --- ## Infrastructure and Cyber ### Internet Infrastructure - **Shodan** — Internet-facing device search; subscription for full features - **Censys** — alternative to Shodan - **FOFA** — Chinese equivalent; different coverage - **Wigle** — WiFi network geolocation ### Domain / DNS - **WhoisXML API** — domain registration history (paid) - **DomainTools** — alternative (paid) - **Passive DNS** via various providers - **crt.sh** — Certificate Transparency logs (free) - **DNSdumpster** — free DNS reconnaissance ### Malware and Threat Intelligence - **VirusTotal** — aggregated malware scanning - **Hybrid Analysis** — malware sandbox reports - **AlienVault OTX** — threat indicator sharing - **MISP** — open-source threat intelligence platform --- ## Archives and Research ### Web Archiving - **Wayback Machine** (web.archive.org) — Internet Archive's historical captures - **Archive.today** — alternative archive (avoids some robots.txt issues) - **Google Cache** — supplementary (being deprecated) **Practice:** Archive any source you cite. Links rot; adversaries delete content. Archives give evidentiary permanence. ### Academic and Document - **Scholar** (scholar.google.com) — academic paper search - **Semantic Scholar** — AI-enhanced academic search - **Sci-Hub** — ethically complex but operationally essential for closed-access papers - **Document Cloud** — document hosting with OCR ### Broadcast and Media Archives - **BBC Monitoring** — paid; superlative international broadcast monitoring - **Internet Archive TV News** — searchable US TV news transcripts --- ## Communication and OPSEC ### Secure Communication - **Signal** — encrypted messaging; contacts tied to phone number - **Wire** — encrypted messaging; no phone number required - **Proton Mail** — encrypted email - **Session** — decentralized encrypted messaging ### Privacy Tools - **Tor Browser** — anonymization; necessary for dark web research - **Tails OS** — amnesic live operating system for high-sensitivity work - **Whonix** — VM-based anonymity - **Mullvad / ProtonVPN** — commercial VPN (mass-market use only; not for high-sensitivity work) ### Digital Forensics - **Autopsy** — forensic analysis of files/drives - **ExifTool** — metadata forensics - **Volatility** — memory forensics - **Maltego** — link analysis and transforms --- ## Dark Web Research - **Tor Browser** — mandatory entry point - **Ahmia** — clearnet-indexed hidden service search - **Dark Search Engines** — Candle, Torch, etc. (quality varies) **OPSEC imperative:** Dark web research requires disciplined OPSEC. Minimum: dedicated machine / VM; Tor-only network; no account associations with clearnet identity; physical and digital air-gaps as appropriate. Do not do casual dark web research from your primary device. --- ## Workflow Integration ### Recommended Pipeline 1. **Discovery** — social media monitoring; RSS from source list; targeted searches 2. **Triage** — quick evaluation: source reliability + information relevance 3. **Preservation** — archive the source (Wayback Machine submission + local save) 4. **Verification** — geolocation, chronolocation, metadata, reverse image search 5. **Analysis** — integrate into existing knowledge structure; apply [[08 Guides & Manuals/Analytical Frameworks/Analysis of Competing Hypotheses|ACH]] 6. **Documentation** — note with proper frontmatter, aliases, cross-links in the vault ### n8n Workflow Automation For routine monitoring (see [[../../../Automation/n8n_ingest_workflow]]), automation can handle: - Inoreader RSS ingestion - Frontmatter generation - Obsidian inbox delivery - Claude API summarization - Signal Brief draft generation Manual analyst work remains essential for verification, analysis, and judgment. --- ## What Not to Use Tools to be wary of: - **Paid OSINT platforms marketing to law enforcement** — expensive; often wrap freely-available data; create evidentiary concerns in legal contexts - **AI-generated "intelligence briefs"** — frequently hallucinate; should not be trusted for factual claims - **"Osint as a service" aggregators** — may provide convenience but obscure source methodology and reliability - **Single-source "verified" feeds** — no matter how reputable, single-sourcing violates triangulation discipline --- ## Key Connections - [[02 Concepts & Tactics/OSINT]] — the discipline - [[08 Guides & Manuals/Operational Manuals/Open-Source Intelligence Manual]] — operational methodology - [[08 Guides & Manuals/OSINT Methodologies/Geolocation Methodology]] — specific methodology for the geo tools - [[08 Guides & Manuals/OSINT Methodologies/Source Verification Framework]] — verification discipline - [[08 Guides & Manuals/Tool Guides & Workflows/Obsidian for Intelligence Analysis]] — the knowledge management layer - [[08 Guides & Manuals/Analytical Frameworks/Analysis of Competing Hypotheses]] — the analytical method