In The Hidden and Visible Elements of OSINT: Part 1, we covered the investigative process and how to apply the right lens for gathering OSINT. We got you started with the Surface Web and how to apply advanced queries to get the information you need across the visible components of the Internet. We will now begin to discuss the different mediums people use to communicate and how to capture conversations across the visible elements of OSINT.
Legally speaking, all the data and content we have been discussing refer to public conversations in public spaces. It is not legal to conduct OSINT to collect the private information and conversations of others. It is not legal to obtain passwords, pretend to be someone else to get information, or otherwise commit acts of subterfuge to get information. OSINT refers to the legal collection of public information and conversations and this alone is powerful enough.
Our OSINT Best Practices report covers how Law Enforcement & Corporate Security teams can keep their OSINT investigations legal & ethical.
There is a lot out there in terms of public conversations. If Twitter, Instagram and Reddit are not enough, there are countless other social sites that might be up the right alley. For lone wolf types, a blog might be more appropriate. The purpose these sites all serve? It seems everyone has a lot to say. People use the Internet to communicate everything, even beyond the boundaries of what is often acceptable in regular society. Online you can be anyone and anything. This is where the investigator can get busy. There is a lot to dig through, and some will have many conversations on multiple sites if they are very active. OSINT investigators will want to capture all conversations and interactions surrounding an event for a threat actor they are investigating. Capturing these public conversations and documenting them fully is a science. Analyzing them is science and art. Start with honing technical skills, capture each conversation and resulting comment. Those comments too might reveal something, and it might be necessary to look at how people in certain networks could be involved. A full picture is necessary and will go a long way when it is time to analyze the data.
Much of our understanding of language comes from the linguistic discipline, which tells us that language is the sum of many parts.
Phonemes: These are the individual units of sound in a language.
Morphemes: These are the words in a language.
Syntax: This refers to how words are structured in a sentence – the way they are combined in different ways, sometimes novel.
Semantics: The most difficult to discover, even elusive some might say – semantics refers to the meaning of a sentence. Not only that but in the context in which it is communicated.
OSINT investigators will not be interested in studying these to extract the same information as your average linguistics researcher, they will study these from the practical perspective of using captured pieces of language to provide greater understanding on a threat about to, in the course of, or which has already occurred. OSINT investigators will be interested in specific words used, how they are combined in sentences, and what those sentences mean in context. Language can be used precisely or carelessly, it evolves and changes depending on the social context, it is used powerfully even if the person wielding it is unaware so has a life of its own.
Why language used in plain sight material to OSINT investigators? Take for example the relatively recent high profile cases where extremist threats made to online forums preceded by following through on those threats violently and, in a few cases, streamed online. Those threat actors had been participating in alternative right-wing conversations online where words like “fecklessness” and phrases like “screw your optics” are mixed in with misspelt racial slurs. Threat actors’ language patterns can be studied to understand their actions and then built into a lexicon over time to understand and perhaps one day spot these types of threats.
Going to bust out the cliché that a picture speaks a thousand words. Not words so much as messages. Millions of small messages hidden in every pixel. For most situations, the macroscopic scope is enough but there are some niche disciplines where this is required. OSINT investigators will generally be paying close attention to the objects in focus and intended to be captured. Then, they will look at the objects in the background and not intended to be captured but still visible in plain sight. What is visible can be pretty powerful when you match that with technology and sound thinking. These specific OSINT skills take time to master. A great example of what OSINT can accomplish when looking at images is Bellingcat. Their team uses a number of different techniques, including crowdsourcing, to help with child protection cases, terrorism, hacker and threat actor groups, major crimes, and anything important they can apply their skills to.
The investigator’s role must look beyond what is at the surface and what is visible is not enough. Through an unbiased investigative lens, the best place to start is there. Then, it is time to look past it, under it, through it, over it, and around it until you see what is underneath.
Part 3 of our series will be published next week, where we will go over the invisible and darker side of the story. We will discuss metadata, the Dark Web, private conversations, and the habits and behaviours that, while visible, are not at the surface and require digging.
Did you miss Part 1 of The Hidden & Visible Elements of OSINT?