OSINT Toolkit Essentials
BLUF
This guide catalogs the essential OSINT tools for intelligence analysts, investigative journalists, and researchers operating in the contemporary information environment. The toolkit has stabilized somewhat since the 2014–2022 period when new capabilities emerged monthly — the core set documented here represents the tools that have survived operational use and remain actively maintained. Every tool listed is either free, freemium, or subscription-based with transparent pricing; nothing here requires intelligence-agency access or paid-access closed platforms. Tool choice matters less than methodology (see Source Verification Framework); the best tools poorly applied produce worse results than basic tools rigorously applied.
Mapping and Geolocation
Primary
| Tool | Purpose | Cost | OPSEC |
|---|---|---|---|
| Google Earth Pro | Historical satellite imagery; 3D buildings; measurements | Free | Google surveils queries |
| Google Maps Street View | Ground-level verification; time slider | Free | Google surveils queries |
| Yandex Maps | Superior Russia/CIS coverage | Free | Yandex surveils queries |
| Bing Maps | Alternative satellite coverage; sometimes newer imagery | Free | Microsoft surveils queries |
| OpenStreetMap | Community-maintained; strong conflict zone coverage | Free | Low-profile queries |
| Mapillary | Crowdsourced street-level imagery | Free | Meta-owned; tracks queries |
OPSEC note: Any query to Google/Yandex/Bing is logged and associable with your identity (via IP, cookies, account). For sensitive operations, use VPN + private browsing; or better, offline maps (OsmAnd on mobile).
Specialized Geolocation
- SunCalc.net — Shadow-based time/date calculation
- Pic2Map — Basic EXIF extraction for location
- Google Earth Timelapse — Satellite imagery over decades; useful for infrastructure development tracking
- Sentinel Hub EO Browser — Free ESA satellite imagery archive; excellent for large-scale or historical questions
- Planet Labs Education — Limited free tier; daily 3–5m imagery of the whole Earth
See: Geolocation Methodology for how to apply these tools.
Image and Video Verification
Reverse Image Search
| Tool | Strength |
|---|---|
| Yandex Images | Best for conflict-zone imagery — frequently identifies images Western engines cannot |
| Google Images | Broad coverage; good for Western-origin images |
| TinEye | Oldest reverse image search; good for earliest instance detection |
| Bing Visual Search | Alternative coverage |
Practice: Always run at least two engines. A hit on Yandex but not Google often indicates Russian or Eastern European original source.
Metadata Analysis
- ExifTool (command line) — definitive EXIF/XMP metadata extraction
- Metadata2Go — web-based EXIF viewer (upload image to third party — OPSEC consideration)
- InVID / WeVerify — video-specific plugin suite for Chrome; keyframe extraction, reverse search on frames, metadata analysis
Deepfake Detection
| Tool | Notes |
|---|---|
| Deepware Scanner | Web-based deepfake detector |
| Reality Defender | Commercial service; enterprise pricing |
| AI or Not | Consumer-grade detection |
Reality check: Detection is structurally one generation behind generation. Treat any detection result as probabilistic. Absence of detection is not proof of authenticity.
Social Media Intelligence
Twitter / X
- Native advanced search — still works for basic queries; rate limits aggressive
- TweetDeck (now X Pro, subscription) — monitoring multiple accounts
- Memo (memo.tw) — archival search for deleted tweets (limited)
- Twint / snscrape — open-source scrapers; frequently broken by API changes
Telegram
- TGStat — channel analytics and search
- Telethon (Python) — programmatic Telegram access for OSINT pipelines
- Telegago (Google custom search for Telegram) — workaround for Telegram’s poor search
Facebook / Instagram
- Who Posted What (whopostedwhat.com) — date-filtered Facebook search
- Facebook Graph Search — largely killed by Meta; limited alternatives
- Instagram Stories Anonymous Viewers — multiple tools; OPSEC-variable quality
TikTok
- TikTok native search — surprisingly robust for public content
- TikTok Analytics Tools — commercial services for engagement analysis
- Use with VPN to avoid geographic filtering
Cross-Platform Tools
- Hoaxy — tracks URL propagation across platforms
- CrowdTangle — RIP (Meta discontinued 2024); replacement tools less capable
Financial and Corporate Intelligence
Corporate Registries
- OpenCorporates — 200+ million company records globally; free basic search
- OffshoreLeaks Database (ICIJ) — Panama Papers + Paradise Papers + Pandora Papers searchable database
- EDGAR (SEC.gov) — US public company filings
- Companies House (gov.uk) — UK corporate records
Sanctions Lists
- OFAC SDN List (US Treasury)
- EU Consolidated Sanctions List
- OpenSanctions — unified global sanctions search
- UN Security Council Consolidated List
Financial Flow
- Hetman — beneficial ownership research
- Investigative Dashboard (ICIJ-related) — cross-reference corporate data
Maritime, Aviation, and Transportation
Ship Tracking
- MarineTraffic — near-real-time AIS transponder data
- VesselFinder — alternative AIS provider
- SeaSearcher — historical vessel data
Dark fleets: Ships that go dark (disable AIS) are a signal — Russian oil exports, sanctions evasion. OSINT integration of AIS gaps with satellite imagery is essential for tracking.
Flight Tracking
- Flightradar24 — near-real-time ADS-B data
- FlightAware — alternative with different coverage
- ADS-B Exchange — uncensored (includes military aircraft that Flightradar24 filters)
- Planefinder — additional source
Rail / Logistics
- Less systematic coverage — country-specific sources; significant OSINT gap for Russia/China rail intelligence
Infrastructure and Cyber
Internet Infrastructure
- Shodan — Internet-facing device search; subscription for full features
- Censys — alternative to Shodan
- FOFA — Chinese equivalent; different coverage
- Wigle — WiFi network geolocation
Domain / DNS
- WhoisXML API — domain registration history (paid)
- DomainTools — alternative (paid)
- Passive DNS via various providers
- crt.sh — Certificate Transparency logs (free)
- DNSdumpster — free DNS reconnaissance
Malware and Threat Intelligence
- VirusTotal — aggregated malware scanning
- Hybrid Analysis — malware sandbox reports
- AlienVault OTX — threat indicator sharing
- MISP — open-source threat intelligence platform
Archives and Research
Web Archiving
- Wayback Machine (web.archive.org) — Internet Archive’s historical captures
- Archive.today — alternative archive (avoids some robots.txt issues)
- Google Cache — supplementary (being deprecated)
Practice: Archive any source you cite. Links rot; adversaries delete content. Archives give evidentiary permanence.
Academic and Document
- Scholar (scholar.google.com) — academic paper search
- Semantic Scholar — AI-enhanced academic search
- Sci-Hub — ethically complex but operationally essential for closed-access papers
- Document Cloud — document hosting with OCR
Broadcast and Media Archives
- BBC Monitoring — paid; superlative international broadcast monitoring
- Internet Archive TV News — searchable US TV news transcripts
Communication and OPSEC
Secure Communication
- Signal — encrypted messaging; contacts tied to phone number
- Wire — encrypted messaging; no phone number required
- Proton Mail — encrypted email
- Session — decentralized encrypted messaging
Privacy Tools
- Tor Browser — anonymization; necessary for dark web research
- Tails OS — amnesic live operating system for high-sensitivity work
- Whonix — VM-based anonymity
- Mullvad / ProtonVPN — commercial VPN (mass-market use only; not for high-sensitivity work)
Digital Forensics
- Autopsy — forensic analysis of files/drives
- ExifTool — metadata forensics
- Volatility — memory forensics
- Maltego — link analysis and transforms
Dark Web Research
- Tor Browser — mandatory entry point
- Ahmia — clearnet-indexed hidden service search
- Dark Search Engines — Candle, Torch, etc. (quality varies)
OPSEC imperative: Dark web research requires disciplined OPSEC. Minimum: dedicated machine / VM; Tor-only network; no account associations with clearnet identity; physical and digital air-gaps as appropriate. Do not do casual dark web research from your primary device.
Workflow Integration
Recommended Pipeline
- Discovery — social media monitoring; RSS from source list; targeted searches
- Triage — quick evaluation: source reliability + information relevance
- Preservation — archive the source (Wayback Machine submission + local save)
- Verification — geolocation, chronolocation, metadata, reverse image search
- Analysis — integrate into existing knowledge structure; apply ACH
- Documentation — note with proper frontmatter, aliases, cross-links in the vault
n8n Workflow Automation
For routine monitoring (see n8n_ingest_workflow), automation can handle:
- Inoreader RSS ingestion — configured per Inoreader Pro — Collection Stack Configuration
- Frontmatter generation
- Obsidian inbox delivery
- Claude API summarization
- Signal Brief draft generation
Manual analyst work remains essential for verification, analysis, and judgment.
What Not to Use
Tools to be wary of:
- Paid OSINT platforms marketing to law enforcement — expensive; often wrap freely-available data; create evidentiary concerns in legal contexts
- AI-generated “intelligence briefs” — frequently hallucinate; should not be trusted for factual claims
- “Osint as a service” aggregators — may provide convenience but obscure source methodology and reliability
- Single-source “verified” feeds — no matter how reputable, single-sourcing violates triangulation discipline
Key Connections
- OSINT — the discipline
- Open-Source Intelligence Manual — operational methodology
- Geolocation Methodology — specific methodology for the geo tools
- Source Verification Framework — verification discipline
- Obsidian for Intelligence Analysis — the knowledge management layer
- Analysis of Competing Hypotheses — the analytical method