OSINT Case Study Index
Purpose
This index aggregates canonical open-source investigation cases from across the vault and organizes them by domain and methodology type. It functions both as a navigation node — routing the practitioner from any documented case to the methodology notes that produced it — and as a practitioner reference for understanding what open-source methods have produced in documented, real-world investigations with verifiable evidentiary, legal, or geopolitical outcomes. Each entry connects an empirical case to the technique stack that delivered it, allowing reverse-engineering of methods from outcomes and forward application of methods to new targets.
Case Study Matrix
Conflict Attribution / War Crimes
| Case | Year | Domain | Primary Method(s) | Key Outcome | Vault Reference |
|---|---|---|---|---|---|
| MH17 (Malaysia Airlines Flight 17 attribution) | 2014–2019 | Conflict attribution | OSINT, GEOINT, social media geolocation, vehicle tracking (Buk TELAR convoy) | Dutch JIT indictment; GRU 53rd Anti-Aircraft Brigade identified as launch unit | OSINT for Human Rights |
| Salisbury/Skripal attack (GRU operatives identified) | 2018 | State actor attribution | Passport database + flight records + hotel data + social media | ”Boshirov/Petrov” identified as GRU Col. Anatoliy Chepiga and Dr. Alexander Mishkin | Counterintelligence, Double Agents, Advanced Persistent Threats |
| Syria chemical weapons documentation | 2013–2019 | War crimes documentation | Satellite imagery, video geolocation, weapons identification (munitions remnants) | Multiple ICC/OPCW proceedings supported; Khan Shaykhun and Douma attribution | OSINT for Human Rights |
| Anwar Raslan conviction (Syria torture) | 2022 | Universal jurisdiction | Social media identification, Caesar files, OSINT corroboration of witness testimony | First criminal conviction worldwide for Syrian state torture (Koblenz Higher Regional Court) | OSINT for Human Rights, OSINT for Legal Proceedings |
| Xinjiang detention facilities | 2017–2020 | Systematic human rights | Satellite change detection, Chinese-language document research, survivor corroboration | Documentation of 380+ facilities; inputs to UN OHCHR inquiry and parliamentary findings | OSINT for Human Rights, GEOINT |
Conflict Monitoring / ISR
| Case | Year | Domain | Primary Method(s) | Key Outcome | Vault Reference |
|---|---|---|---|---|---|
| Russian pre-invasion force buildup (Ukraine) | 2021–2022 | Indications and Warning | Commercial satellite (Planet/Maxar), ADS-B/AIS tracking, social media monitoring (TikTok convoy videos) | Successful strategic warning with unprecedented public intelligence release by US/UK governments | Indications and Warning, Intelligence, Surveillance, and Reconnaissance, GEOINT Workflow Guide |
| Wagner Group in Africa / mercenary tracking | 2019–2023 | Non-state actor tracking | Social media, satellite imagery, aircraft registration, payment records | Wagner presence systematically documented in Libya, Mali, CAR, Sudan | Pattern of Life Analysis, GEOINT |
Financial / Corporate Investigation
| Case | Year | Domain | Primary Method(s) | Key Outcome | Vault Reference |
|---|---|---|---|---|---|
| Panama Papers | 2016 | Beneficial ownership | Leaked document analysis + corporate registry cross-referencing + OSINT corroboration | 140 political figures exposed; Mossack Fonseca operating model documented | Corporate OSINT and Due Diligence, Entity Resolution Methodology |
| Pandora Papers | 2021 | Beneficial ownership | Same methodology at larger scale (11.9M documents, 14 offshore providers) | 330 politicians across 91 countries; multiple resignations and investigations | Corporate OSINT and Due Diligence, Financial Intelligence |
| Russia sanctions evasion (post-2022) | 2022–2024 | Supply chain / sanctions | Customs manifest analysis, component teardowns, import/export database cross-referencing | Western semiconductors traced to Russian military equipment via third-country transhipment | Corporate OSINT and Due Diligence |
Cyber Attribution
| Case | Year | Domain | Primary Method(s) | Key Outcome | Vault Reference |
|---|---|---|---|---|---|
| NotPetya attribution (Sandworm/GRU) | 2017 | APT attribution | Malware analysis, infrastructure pivoting, code comparison, false-flag deconstruction | First public attribution of a nation-state destructive cyberattack; US/UK/NL coordinated statements | Advanced Persistent Threats, Cyber Threat Intelligence, Attribution |
| SolarWinds / Sunburst (SVR attribution) | 2020 | APT attribution | Supply-chain compromise analysis, C2 infrastructure analysis, TTP clustering | Attribution to SVR (APT29/Cozy Bear) via MITRE ATT&CK TTP cluster and infrastructure overlap | Advanced Persistent Threats, Cyber Threat Intelligence |
| Navalny poisoning (FSB team identified) | 2020 | State actor attribution | Phone record analysis, flight records, OSINT on FSB personnel | FSB Kriminalistika Institute team identified by name (Bellingcat/Insider/Der Spiegel) | Counterintelligence, Advanced Persistent Threats |
Surveillance Technology / Spyware
| Case | Year | Domain | Primary Method(s) | Key Outcome | Vault Reference |
|---|---|---|---|---|---|
| Pegasus/NSO Group exposure | 2016–2021 | Surveillance technology tracking | Infected-device forensics, network scanning (Citizen Lab methodology), victim mapping | NSO Pegasus documented in 50+ countries; multiple governments implicated; US Commerce blacklist | Advanced Persistent Threats, Counter-OSINT Methodology |
| FinFisher/FinSpy tracking | 2012–2020 | Surveillance technology | Network scanning, export tracking, binary analysis | Commercial surveillance tool documented in authoritarian contexts; insolvency 2022 | Counter-OSINT Methodology |
Methodology Cross-Reference
The following table inverts the matrix above, mapping each core method to the canonical cases that exemplify it. This view supports practitioner navigation from technique to documented application.
| Method | Canonical Cases |
|---|---|
| Satellite imagery / change detection | Xinjiang, Ukraine buildup, Syria chemical weapons, Wagner in Africa |
| Social media geolocation | MH17, Syria chemical weapons, Salisbury |
| Corporate registry / beneficial ownership | Panama Papers, Pandora Papers, Russia sanctions evasion |
| Malware / infrastructure analysis | NotPetya, SolarWinds, Navalny, Pegasus |
| Phone / flight record analysis | Navalny poisoning, Salisbury |
| Document cross-referencing | Anwar Raslan, Panama Papers, Xinjiang |
| AIS/ADS-B tracking | Ukraine buildup, sanctions evasion shipping |
Vault Navigation
Deep methodology notes that produced — or could reproduce — results in the cases above:
OSINT for Human Rights, OSINT for Legal Proceedings, Geolocation Methodology, GEOINT Workflow Guide, Pattern of Life Analysis, Entity Resolution Methodology, Network Analysis Methodology, Link Analysis, Disinformation Detection Methodology, Cyber Threat Intelligence, Advanced Persistent Threats, Counter-OSINT Methodology, POI Profiling Methodology, Corporate OSINT and Due Diligence, Crypto Tracing Tools Guide, Dark Web Methodology.
Each case in the matrix above can be back-traced to one or more of these methodology nodes. Conversely, each methodology node should — where possible — cite at least one case from this index as a documented application precedent. This bidirectional linking is the structural mechanism that converts the vault from a glossary into a working reference for live investigations.
Key Connections
OSINT, OSINT for Human Rights, OSINT for Legal Proceedings, Attribution, Geolocation Methodology, Entity Resolution Methodology, Pattern of Life Analysis, Advanced Persistent Threats, Cyber Threat Intelligence, Corporate OSINT and Due Diligence, Counterintelligence, Indications and Warning, OSINT Community Ecosystem.