Sign in Subscribe

Integrity in OSINT

Dennis Keefe, OSC

3 min read
Integrity in OSINT

Having a foundational understanding to avoid self exposure.

Understanding Passive vs. Active OSINT

Passive OSINT (Open-Source Intelligence) refers to the collection and analysis of publicly available information where the investigator never sends a packet to, or engages with, the target’s infrastructure. Instead of "knocking on the door," the researcher utilizes third-party repositories and cached data to build a profile.

Active OSINT (Open-Source Intelligence) involves data collection methods that require direct engagement with the target's assets. Unlike passive methods, active OSINT sends requests, packets, or communications directly to the target, which can be logged, monitored, or alerted by security systems.

Let me start by saying that OSINT tools are great. They save time, they are always changing, and they can be dangerous to your overall OPSEC (Operational Security.)

Even after you understand Passive vs. Active OSINT you may still inadvertently engage in Active OSINT and not even be aware. For example, lets say a tool is trying to locate a subjects LinkedIn page, and opens a new tab to display the results for you. If you are logged into your personal LinkedIn account in a different tab, and open the profile of your target, you have just exposed yourself. That visit is tracked by the subjects LinkedIn account.

In this case, since I do not currently pay for LinkedIn Premium, the info is not available. For those who currently pay for premium, the visits to their profile are made available. If you want to see who is visiting your profile, and you haven't already done so, you should be able to get a free trial of LinkedIn Premium. Note: I would use a virtual credit card if possible. You can adjust your LinkedIn settings to keep your visits to other LinkedIn profiles private, but I recommend always using a virtual machine when conducting OSINT research.

To change your LinkedIn privacy, visit Account > Settings & Privacy > Visibility > Profile Viewing Options > Private Mode

This should be a common practice to protect your identity, but NOT in place of good OPSEC practices. A virtual machine is best to ensure you are isolated from your host machine. You can also use a program like Kasm which provides you with a complete workstation, right in your browser tab.

It is easy to get excited when you find a new lead or pivot point. You may be tempted to just check it out real quick, without firing up your Virtual Machine, don't do it. Make it common practice to always isolate yourself, no matter how safe you think you will be. It only takes a minute to compromise yourself and your investigation.

Never Cross the Line

There will be times during an investigation when you have access to a subject's private credentials. If you find yourself stuck without new leads or pivot points, you may be tempted to use that access to uncover the next clue. You might even justify it by telling yourself that locating the subject outweighs a single ethical breach. Do not do it. Not even once. Ever.

Crossing that line will damage your integrity, your case and can even cost you your job. If you ever get to that point, step away, clear your head and come at it from another angle. Always put honesty and integrity first.

Contact

Sign up for more like this.

Enter your email
Subscribe