Intelligence notes

OSINT Quick-Start Guide

8 min read

OSINT Quick-Start Guide

Open-Source Intelligence (OSINT) is the disciplined practice of producing actionable analysis from publicly available information. It is not a search-engine hobby and it is not investigative journalism — it is a structured tradecraft, and like any tradecraft it has a method, a toolset, and a body of professional standards. This guide is your on-ramp.

Who This Guide Is For

This guide is written for analysts, journalists, researchers, and compliance professionals who are beginning OSINT work and want a structured entry point — the first 30 days of practice, not the first five years. It is not a replacement for the deeper methodology notes elsewhere in this vault; it is the orientation that comes before them. If you read this guide, do the exercises, and follow the linked deep-dives, you will be operating at an entry-professional level within a few weeks of consistent practice.

The OSINT Mindset — Three Principles

OSINT is a discipline before it is a toolkit. The tools change every year; the mindset does not. Three principles separate competent practitioners from everyone else.

Verify before you conclude. OSINT surfaces information, not truth. Every claim from every source — including government press releases, mainstream media reports, leaked documents, and corporate filings — requires independent corroboration before it can support an analytical conclusion. A single source is a lead. Two independent sources from non-overlapping origins are evidence. One source citing another is still one source.

Document everything. If a finding is not documented at the moment of collection, it does not exist for analytical or legal purposes. Web pages disappear, social media accounts are deleted, and screenshots without timestamps and hashes carry no evidentiary weight. The discipline is simple: screenshot, hash, and archive at the moment of discovery — not later. Build this habit before you build anything else.

Know your legal boundary. Collection from genuinely public sources is generally lawful in most jurisdictions. Scraping behind authentication, bypassing technical access controls, harvesting personal data at scale, and re-publishing identifiable information about private individuals can cross into civil and criminal violations — and the specifics vary by country. When uncertain, stop collecting, document what you have, and consult a legal framework before proceeding.

The Five-Step OSINT Cycle (Applied)

The intelligence cycle adapted to beginner OSINT practice. Run every investigation through these five steps in order. Skipping a step is the most common cause of unreliable findings.

Step 1 — Define the question precisely. What specifically do you need to know? What decision does the answer support? “Investigate this company” is not a question. “Does this company have undisclosed ownership ties to a sanctioned entity?” is a question. Write the question down before you open a browser. If the question shifts during the investigation, write the new question down too.

Step 2 — Identify the likely sources. Where would the answer live if it exists in open sources? Corporate registries for ownership questions, archived web pages for deleted content, social media for personal patterns of life, satellite imagery for physical infrastructure, court filings for legal disputes. Map the source landscape before you start collecting — five minutes of thinking saves hours of unfocused searching.

Step 3 — Collect. Use the tools in the next section. Document everything: URL, retrieval timestamp, screenshot, and a hash of the captured artifact. Maintain a collection log — a simple spreadsheet works. The discipline is non-negotiable.

Step 4 — Verify. Require a minimum of two independent sources for any factual claim that will appear in your output. Check every piece of media for the four Ds: Distortion (was the original altered?), Disinformation (was it created to mislead?), Decontextualization (is a real artifact being presented in a false context?), and Deepfake (was it synthetically generated?). When verification fails, the finding is downgraded from fact to lead.

Step 5 — Synthesize and communicate. State what you found, the confidence level (Low / Medium / High based on source quality and corroboration), and — critically — what gaps remain. Analysts who acknowledge their gaps are trusted; analysts who hide them are eventually discovered.

Essential Free Tool Stack — Beginners

The tools below are sufficient for the first six months of OSINT practice. Master these before adding anything else.

ToolFunctionURL / InstallLimit
Google / Bing advanced operatorsTargeted search via site:, filetype:, intitle:, inurl:, before:, after:Built into both enginesSearch engines deprecate operators; cross-test results between engines
Wayback MachineArchived web pages and deleted contentarchive.org/webCoverage is incomplete; missing snapshots are common
Google Images reverse search + TinEyeReverse image searchimages.google.com, tineye.comBoth miss recently published or cropped images; use Yandex as third leg
ExifTool / Jeffrey’s Exif ViewerImage metadata extractionexiftool.org (CLI), exif.regex.info (web)Most social platforms strip EXIF on upload
SherlockUsername sweep across 300+ platformsgithub.com/sherlock-project/sherlockFalse positives common; verify each hit manually
Shodan.io (free tier)Internet-connected device discoveryshodan.ioFree tier limits queries per day; full coverage requires paid plan
OpenCorporatesCorporate registry researchopencorporates.comCoverage varies by jurisdiction; pair with national registries
Intelligence X (IntelX) free tierEmail/username in breach datasetsintelx.ioFree tier returns limited results; treat breach data with legal caution
Hunter.io free tierCorporate email pattern discoveryhunter.ioFree tier capped at 25 searches/month
Hunchly (paid, ~$20/month)Evidence capture with automatic hashinghunch.lyPaid — and the single most important professional tool for a beginner to adopt early

If you adopt only one paid tool in your first year, make it Hunchly. The evidentiary discipline it enforces — automatic capture, automatic hashing, automatic chain-of-custody — is otherwise extraordinarily difficult to maintain manually.

Ten First Skills to Develop

Ordered by payoff-to-difficulty ratio. Work down the list. Do not skip ahead — each skill assumes the prior ones.

  1. Google advanced operators. The single highest-leverage skill in OSINT. An afternoon spent learning site:, filetype:, intitle:, inurl:, before:, after:, and exact-phrase quoting will permanently change how you search.
  2. Reverse image search pipeline. Run every image of interest through Google Images, TinEye, and Yandex in sequence. Each indexes different parts of the visual web. Yandex is consistently strongest on faces and Cyrillic-language sources.
  3. Wayback Machine and archive.today research. Learn to find archived snapshots, to compare versions of a page across time, and to submit captures yourself before sensitive content disappears.
  4. Username sweep with Sherlock. A starting point for entity research — but every Sherlock hit is a hypothesis, not a confirmation. Manual verification is required.
  5. Corporate registry research. Learn OpenCorporates plus at least one national registry relevant to your work (Companies House for the UK, SEC EDGAR for the US, JUCESP/Receita Federal for Brazil, and so on).
  6. Image EXIF extraction. Routine on any image not sourced from a major social platform. Camera model, timestamp, and GPS coordinates are often intact in images shared via cloud storage, email, or messaging apps that do not strip metadata.
  7. Geolocation from photographs. Sun angle, architectural detail, vegetation, signage, vehicle license plate formats, and electrical infrastructure all narrow a location. This is the highest-prestige and most in-demand individual OSINT skill in the field.
  8. Social media account research. LinkedIn deep search (for professional networks and employment history) and X/Twitter advanced search operators (from:, to:, since:, until:, near:) are foundational. Each platform has its own search grammar.
  9. Domain and WHOIS research. Current WHOIS via whois.domaintools.com, historical WHOIS via domaintools or whoxy, DNS records via dig or online resolvers. Domain history often reveals ownership transitions that current records hide.
  10. Evidence documentation and hashing discipline. SHA-256 every captured artifact at the moment of capture. Use Hunchly if your budget allows; if not, build a manual workflow with screenshots, sha256sum, and a structured folder hierarchy. Without this discipline, your work cannot support legal or formal analytical processes.

Common Beginner Mistakes

  • Stopping at the first result. The first Google result is what everyone sees. OSINT begins where obvious searching ends — pages two through ten, operator-narrowed queries, alternate engines, and archived versions.
  • Forgetting to archive. Web content of investigative interest disappears within hours of becoming relevant. Submit captures to archive.today and the Wayback Machine before you analyze, not after.
  • Assuming correlation is causation. Two entities sharing an attribute — the same city, the same school, the same supplier — does not mean they are operationally connected. Coincidence is more common than connection.
  • Publishing before verifying. Open-source content includes deliberately planted disinformation designed to be discovered by analysts like you. A single-source finding is a lead; treating it as a fact is how reputations are lost.
  • Using personal accounts and devices. Operational separation between your personal life and your OSINT work is a basic professional standard. Subjects of investigation can and do investigate back.

Where to Go From Here

The notes below take each topic deeper. Read them in roughly the order listed.

Start with the OSINT mindset. Build the documentation habit before anything else. Work down the ten-skill list. Everything else in the discipline grows from there.

Graph View

Backlinks