OSINT – Diving into an ‘Ocean’ of Information

by OSINT researcher

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/osint-cik-illustration.png


In Short: A look at how combining different openly available information sources can lead to meaningful results in your investigation, using what is known as open source intelligence.


Note: This article is U.S.-centred reflecting the expertize and background of the writer, which is geographically focused. We welcome suggestions of additional cases by other contributors who wish to add more geographically diverse examples or viewpoints from their OSINT investigations in different environments.*

On May 25, 2020, in Minneapolis, Minnesota, in the United States, a Black man named George Floyd was murdered by a white police officer named Derek Chauvin, setting off months of continuous protests, actions and riots across the entire country and around the world. Among many other reports of verified, really terrifying actions by local and federal government in reaction to these protests, a lot of unrealistic and misinformed news reports started spreading around, more like rumours, in activist and left-leaning circles on social media and in private conversations.

Persistent myth-making, confusion and fear occurred around the arrest and felony criminal charges filed against Lore-Elizabeth Blumenthal, a woman who allegedly set fire to two empty police cars on May 30, 2020 in Philadelphia, Pennsylvania and ended up being tracked down by the FBI. Blumenthal was identified by FBI investigators who combed aerial and social media footage of protestors, noted a unique t-shirt she wore, found the t-shirt’s slogan in an Etsy store (an online, U.S.-based webshop host), and compared the public profile Blumenthal used to leave a review for the t-shirt with other social media profiles using the same or similar name. Blumenthal’s arrest seemed to shock and terrify people, and it made waves in media. The reality is that Blumenthal’s case isn’t evidence of “supercop” investigators or overreaching government surveillance – it is a clear use of open source intelligence techniques (or OSINT techniques), which don’t require professional training to use and are generally free and available to anyone with decent internet.

There are a lot of resources (some linked below – see resources at the end) that describe how to protect yourself from OSINT research techniques employed by law enforcement or by hackers and bullies (OSINT used to harass or bully someone is sometimes known as doxxing), and protesters around the world have been using them already. Protecting yourself from potential OSINT investigations can include operational security practices (sometimes known as OPSEC, a term borrowed from the U.S. Military) in-person, like wearing unremarkable clothing and covering identifiable features (sometimes known as wearing or being in black bloc). Online, protecting yourself from OSINT investigations could mean simply keeping your social media profiles private, using end-to-end encrypted messaging services, and upholding social norms against documenting and publishing videos, photos, or live-streams of political actions without “scrubbing” metadata from the digital files and obscuring the identities of participants by blurring or pixelating images. The latter is also part of one’s responsibility to protect the privacy of (potentially) vulnerable others such as victims, sources, collaborators, etc.

This article describes OSINT information development — not how to find information, but more how OSINT practices and frameworks can create valuable, actionable and compelling knowledge out of information (whether you’re a cop…or not).

What OSINT is about

First of all, OSINT is a professionalization of a basic concept, designed to make the techniques and practices seem more unique, intimidating and advanced. Open Source Intelligence is literally what it refers to. Open source – as you might already know – is used mainly when speaking about software, and it refers to software for which the source code is available to public review and modification. In this guide and in the general context of OSINT-based investigations, it has a more general meaning, which might be described as such: free or inexpensive information, tools, or media that can be accessed, reviewed and used by average people, without licenses or active permissions. Intelligence in this instance just means information, data, or knowledge.

OSINT isn’t just information available by any means. It refers to information legally accessible by a member of the public – like an Etsy review, an unprotected tweet, an unsealed court document, or a construction site’s activities seen from the street. OSINT also describes information leaked to the public, like the Panama Papers or information published by Wikileaks.org.

Obviously, legally accessible information means something different depending on where you live, and who you are. A police officer combing privately accessible surveillance videos for protesters can do a lot more with a public Etsy review than the average citizen investigator. A U.S.-based investigator will have more open access to social media than one based in China.

This leads to an important aspect of OSINT-powered investigation: OSINT research relies on creating overlaps and meshing knowledge from different sources. Like waves of an ocean saturating sand or dip-dyeing fabric – each source creates deeper understanding and further develops in a wider context. Individual pieces of information may not be accessible to everyone, but combining enough different sources can help develop seemingly useless data into meaningful results.

Examples of how to investigate with OSINT

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/osint-01-cik-illustration.png

Example 1 – NYC Building Ownership

Many governments and corporations are required to publicly register information, but often in decentralized ways. The information is most powerful when it can be brought together— combining datasets that have mutual importance.

A common example: in many places around the world, real estate transactions are publicly announced or recorded. If you wanted to know who owns a building in New York City, you would have to check the City Department of Finance records for a deed (a record of sale); you might even need to go to a different city website to find the block and lot number of the property first. Let’s say a company owns the building. You’d have to check with the New York Department of State and look into the corporate records — but in New York, companies don’t have to list their officers. Then you might turn to media, social media, or other sources to keep layering information - dip-dyeing the fabric - until you get the color you want.

Even though property sales are public in New York City, wealthy individuals, especially those who are trying to “sink” money into assets to avoid tax or hide criminal proceeds, often buy expensive luxury apartments through shell companies. Investigative journalists and prosecutors have used OSINT research to identify those individuals. For example, in October 2019, the Wall Street Journal called a $240 million unit in the apartment building at 220 Central Park South the most expensive home in the U.S. – owned by a corporation called NYCP LLC.

New York City Department of Finance property records can be searched by company name. Here’s what it looks like:

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/nyc-finance-records.png Screenshot from New York City Department of Finance online property records - Search by Party Name: https://a836-acris.nyc.gov/DS/DocumentSearch/PartyName. Source: the author.

These are the results for this search:

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/nyc-finance-records-results.png Screenshot from New York City Department of Finance online property records - results of Search by Party Name: https://a836-acris.nyc.gov/DS/DocumentSearch/PartyName. Source: the author.

The last line in this result page shows the January 23, 2019 purchase of a property at Block 1030 Lot 1026 in Manhattan for $239,958,220. Here’s an image of the deed, which shows the unit number 50 was sold from one corporation (VNO 225 West 58th Street LLC) to another (NYCP LLC).

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/nyc-finance-records-results-last.png Screenshot from New York City Department of Finance online property records - results of Search by Party Name: https://a836-acris.nyc.gov/DS/DocumentSearch/PartyName. Source: the author.

The fifth page of the deed shows that the “sole member” of the new owner of this $240 million Manhattan apartment is another company, called K.P. Holdings, LLC., for which an individual Molly McEvily is an authorized signatory.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/nyc-finance-records-results-fifth.png Screenshot from New York City Department of Finance online property records - results of Search by Party Name: https://a836-acris.nyc.gov/DS/DocumentSearch/PartyName. Source: the author.

A search of the New York State Division of Corporations has no results for NYCP LLC or KP Holdings L.L.C.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/ny-corp.png Screenshot of online search via the New York State Division of Corporations https://appext20.dos.ny.gov/corp_public/CORPSEARCH.ENTITY_SEARCH_ENTRY / no results. Source: the author.

Sadly, a search of OSINT database opencorporates.org had way too many results for similarly named companies. A search of opencorporates.org for companies that had the same officer listed in the deed – Molly McEvily – also wasn’t helpful.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/opencorporates-molly.png Screenshot of online search results via https://opencorporates.com/. Source: the author.

Now to an old friend, Google – Molly McEvily has a public LinkedIn profile, which shows she worked at Citadel LLC in the office of the CEO for several years.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/linkedin-molly.png Screenshot of Molly McEvily’s public LinkedIn profile. Source: the author.

A Google search quickly shows that the CEO of Citadel LLC has been Kenneth C. Griffin since he founded the company in 1990. This is a good indicator that Molly McEvily was working closely for Kenneth C. Griffin, a hedge fund billionaire, around the time she signed the purchase papers on behalf of KP Holdings L.L.C. and NYCP LLC. It’s not a proven confirmation, but it’s a reasonable lead that Griffin’s money might be behind the purchase of the $240 million apartment.

This example is a bit of a cheat – Griffin was linked to the purchase of this apartment in media reports, and Citadel LLC confirmed he was behind the buy. However, it is easy to see how these different sources all layer to create meaning with each other.


An extra step that can be fun here – looking up this apartment address in the U.S. Securities and Exchange Commission’s full-text database, EDGAR, yields 170 results…it’s hard to know if there will be anything useful down the rabbit hole, but an investigator is sure to gain at least a better understanding of the assets and companies surrounding this $240 million asset.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/sec-gov.png Screenshot of online search in EDGAR database https://www.sec.gov/edgar/search/. Source: the author.

Example 2 – Radio12

OSINT techniques and tools are incredibly useful. In the midst of the protests mentioned above, people started spreading word that some New York City Police Department (“NYPD”) radio channels are open, meaning anyone can tune into them. This has been true for a while, but most people aren’t into monitoring an NYPD frequency for fun. Faced with the violent response of NYPD officers to protests, and with intimidating use of pepper spray and physical techniques like kettling (when police officers surround a group of people from all sides to arrest them), protesters and passers-by were more interested in having an idea of how many cops were being dispatched to do what, and to where. NYPD open frequencies stream live online nowadays.

This organisation, Radio 12, seems to have been born out of live-Tweeted NYPD radio conversations — accounts using #NYCScannerDuty — and a need for people in the streets to know if they were in a hot spot of activity, or if police were sending prisoner vans, or instructed to block roadways or kettle a protest group. When you’re out and moving you can’t listen to a live radio scanner — you want to see on a map where you are in relation to what’s coming your way. Radio12 built ScanMap with OSINT techniques.

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/nyc-police-radio.png

https://cdn.ttc.io/i/fit/800/0/sm/0/plain/kit.exposingtheinvisible.org/osint/scan-map.png Screenshot of ScanMap database https://scanmap.mobi/NY/. Source: the author.

ScanMap publishes these Tweets live and places them on a map of New York City, creating gold — a mobile, free, accessible tool pulling together OSINT data points to perfectly serve an immediate need. The live public scanner is useless on its own, but combined with public geographic data and maps, it became an indispensable mine of knowledge for average people engaged in protest actions.

Leaks, Transparency, Safety and Power

https://cdn.ttc.io/i/fit/1000/0/sm/0/plain/kit.exposingtheinvisible.org/il/osint-02-cik-illustration.png

As mentioned before, OSINT includes publicly available information – even if it was once private.

Published leaks of government, corporate or other private information by whistleblowers, hackers, former employees (or by accident) can give a wealth of information to the public. For example, the leaks at the core of the Panama Papers investigations in 2016 revealed hundreds of thousands of private corporate documents related to offshore shell companies and their ultimate beneficial owners to the German newspaper Süddeutsche Zeitung, which published the information and created a database in cooperation with the International Consortium of Investigative Journalists (ICIJ). These documents, prior to the leak, were legally kept private, and they transformed into OSINT as soon as they were published by the newspaper.

Many people think a lot of good has come out of the Panama Papers leaks, which led to the prosecution of wealthy tax fraudsters and money launderers around the world, revealed government and corporate relationships, and prompted new banking and corporate disclosure regulations worldwide. More transparency should hopefully always lead to more ethical behavior.

However, greater transparency can also lead to greater risks for individuals.

The same OSINT goldmines that reveal corporate misdeeds and political relationships of those in power can be turned against individuals who don’t have the protection of wealth and power. As mentioned earlier, OSINT can be weaponized in the form of doxxing – publishing the identity or other personal information found about an individual to harm them, professionally or physically. Many OSINT investigators might wish that more data sources were freely accessible (makes everyone’s work easier!) but without strict and well-intentioned data regulations, average people are poorly protected from data leaks, doxxing, corporate mining of personal information and other kinds of informational abuse.

There is a tension between the seemingly obvious “good” of open, transparent and free information and the “good” of wanting to protect personal, sensitive data of individuals from exploitation. Free and open data about companies, governments and the environment may be a human right, just as many people believe that personal privacy is a human right. Perhaps this tension won’t be resolved until data protections for corporations and the assets they often hide can be properly separated from those for natural persons.

Open data sources can also prevent governments from manipulating data and controlling information for political reasons.

In early December 2020 in the U.S., police raided the home of a former Florida state data scientist, Rebekah Jones, who has said she was fired from her job after refusing to manipulate COVID-19 infections data in the state. Jones had started publishing COVID-19 data for Florida on a website called Florida Covid Action Community Database (page archived as of 13 Match 2021 on WaybackMachine here)after losing her job, using more complete data to calculate more accurate infection data that was less supportive of loosening restrictions on public life. Jones was reportedly targeted for using her former work credentials to log in to a Florida emergency alert channel, where she urged state employees to “speak up before another 17,000 people are dead.” However, Jones has stated she believes the raid was retaliation for her criticism of state data and for her publishing of independent data – she says her computer and phone, her tools for gathering and publishing COVID-19 info daily, were confiscated.

It’s worth noting that leaking or publishing private information, presenting leaked information in a more usable way, or even publishing OSINT from different sources together can put an investigator at risk, depending on what that information can do or who it casts in a negative light. The benefits and risks of leaking information to the public is a different topic. But creating OSINT tools like Jones’ COVID-19 dashboard or Radio12’s ScanMap can be threatening to governments and those in power by their very nature; by combining multiple datasets with mutual importance in simple, free and intuitive ways – by layering OSINT sources – these tools can both challenge “official” data and invite the public to ask questions about the activities of governments and other power holders.

The power of OSINT

OSINT investigations often require creativity and intuition – seeing where different datasets slot together, imagining where you might find something useful, or pursuing new sources even when you’ve found a dead end, time and time again. Sometimes the information you want or need simply is not OSINT – it happens. But layering information, pulling in additional context, adding seemingly small details to your pool of data, and looking in unusual places can usually get you where you need to be. OSINT resources can lock into each other like puzzle pieces or can develop a picture like photo chemicals when used all together. Seemingly useless or irrelevant open data can be transformed into extremely powerful tools and used to further important investigations using OSINT research techniques.


Published March 2021

Resources

Articles and Guides

Tools and Databases

Glossary

term-doxxing

Doxxing – publishing the identity or other personal information found about an individual to harm them, professionally or physically.

term-metadata

Metadata - Information that describes properties of a file, be it image, document, sound recording, map etc. For example the contents of an image are the visible elements in it, while the date the image was taken, the location and device it was taken on, are called metadata.

term-offshore

Offshores - Also called tax havens or fiscal paradises, these are jurisdictions that offer attractive tax deductions and other financial benefits to foreign companies incorporating locally (see Transparency International’s Anti-corruption glossary for more.)

term-osint

OSINT - stands for Open Source Intelligence. It is a professionalization of a basic concept, in this case referring to free or inexpensive information, tools, or media that can be accessed, reviewed and used by average people, without licenses or active permissions. Intelligence in this instance just means information, data, or knowledge.

term-shellcompany

Shell company - Companies that are pre-registered by third parties and can be simply purchased by those who would like to have a company but prefer to avoid the process of setting it up. Shelf companies, also called “paper companies” are companies that are registered and maintained in good order but that do not perform any business activities – they almost literally stay on the shelf. They are usually created by law or accounting firms. They are not illicit by nature but can be used for illicit purposes especially when trying to obscure a beneficial owner.