WEBVTT

1
00:00:00.000 --> 00:00:06.300
In this re-recorded video I'm going to go over a OSINT template and also another

2
00:00:06.300 --> 00:00:11.960
document that I'm currently using. Now first off I do want to say this is a

3
00:00:11.960 --> 00:00:18.079
re-record so I apologize to anyone that actually looked at the video probably

4
00:00:18.079 --> 00:00:23.799
late last night early this morning today and had issues with it. I do appreciate

5
00:00:23.799 --> 00:00:27.079
the student that reached out to me and let me know that there was a problem.

6
00:00:27.079 --> 00:00:33.919
Again I apologize and this is a re-recorded video. So it's important to

7
00:00:33.919 --> 00:00:41.400
have a documentation for your OSINT investigation. This is a basic template

8
00:00:41.400 --> 00:00:45.040
that I have. I'm going to put this on the Google Drive along with the other

9
00:00:45.040 --> 00:00:52.560
document. Feel free to use it, modify it, things like take out go ahead and take

10
00:00:52.560 --> 00:00:57.560
out my header here. I can't imagine was going to use my DGS header if you're

11
00:00:57.560 --> 00:01:02.360
doing it for your own OSINT investigations and whatnot. And there are

12
00:01:02.360 --> 00:01:06.839
other templates out there. There's free ones out there. There's ones you could

13
00:01:06.839 --> 00:01:12.319
have AI build. This is a generic one I had AI initially build and I went ahead

14
00:01:12.319 --> 00:01:21.160
and edited it. And there's also templates built into things like CSI Linux. However

15
00:01:21.199 --> 00:01:26.760
using it it does some great jobs pre-populating things but also it's kind

16
00:01:26.760 --> 00:01:32.680
of a pain when I used it for other stuff. So for me personally I find it easier to

17
00:01:32.680 --> 00:01:37.800
just take a template like this and kind of modify it like I need to. So let me

18
00:01:37.800 --> 00:01:45.519
kind of go over this for you to give you an idea how these reports work. So I have

19
00:01:45.519 --> 00:01:51.519
my logo here. Private Investigation Report Identifier. So case ID or target

20
00:01:51.519 --> 00:01:59.000
name. Status. Is this a preliminary search or is this a final report?

21
00:01:59.000 --> 00:02:02.879
Classification Private Restricted Distribution which is probably going to

22
00:02:02.879 --> 00:02:06.120
be the case for most your OSINT investigations. It is going to be

23
00:02:06.120 --> 00:02:12.059
confidential and private. Executive Summary. So a quick summary about hey

24
00:02:12.100 --> 00:02:17.820
what's the objective? What was the point of this report or investigation? And some

25
00:02:17.820 --> 00:02:24.020
brief key findings. What are some of the most important things that you discover

26
00:02:24.020 --> 00:02:28.419
during your investigation? And the Executive Summary is really important

27
00:02:28.419 --> 00:02:34.860
for to give people like the higher-ups a quick view because a lot of times they

28
00:02:34.860 --> 00:02:38.500
may not understand what they're looking at or don't have time or a little bit of

29
00:02:38.500 --> 00:02:45.779
both. So having that Executive Summary makes a big difference. Now Subject

30
00:02:45.779 --> 00:02:52.139
Identity Profile. What's their full legal name if you know it? Where their

31
00:02:52.139 --> 00:02:57.699
aliases, maiden name, nicknames, common name variations. Primary handles. Things

32
00:02:57.699 --> 00:03:02.660
that they use across say social media platforms and whatnot. What's their

33
00:03:02.699 --> 00:03:08.979
estimate location? City, state. Now it's estimated normally because a lot of

34
00:03:08.979 --> 00:03:16.259
times we're not positive where these people reside or where they're currently

35
00:03:16.259 --> 00:03:25.940
operating in. So estimate location is a pretty basic way to put it. So next up we

36
00:03:25.940 --> 00:03:31.500
have things like digital footprint and social media and there's some pretty

37
00:03:31.619 --> 00:03:37.419
basic ones up in here. LinkedIn, X, Twitter, Facebook, Instagram. Additional

38
00:03:37.419 --> 00:03:43.820
URLs. So if I find my target aren't things like say Blue Sky or

39
00:03:43.820 --> 00:03:49.059
Upscroll, things like that. TikTok. I could fill in these and I always could

40
00:03:49.059 --> 00:03:56.220
add more boxes as needed as I find more social media platforms that they're on.

41
00:03:56.339 --> 00:04:02.339
So what's their handle or username? What's the direct URL associated to

42
00:04:02.339 --> 00:04:10.339
those accounts? What's their status and what's their other information that

43
00:04:10.339 --> 00:04:17.700
that's going to be relevant? Friends, family, anything that's going to be

44
00:04:17.700 --> 00:04:25.500
important populate in that other box. Professional history, workplaces, things

45
00:04:25.500 --> 00:04:30.380
like, okay, where do they currently work? What's the company's name?

46
00:04:30.380 --> 00:04:39.739
What's their role? What's the company's, say, business ID? Who owns it? What were

47
00:04:39.739 --> 00:04:44.940
their past employments? Company name, what was their role? How long were they there?

48
00:04:44.940 --> 00:04:50.899
When were they active there? Things like that. Property and physical assets, things

49
00:04:51.019 --> 00:04:56.739
like, do they have a address? Do they own a home? Do they own a vehicle? Do they

50
00:04:56.739 --> 00:05:03.940
own a boat? Do they have any rental history, rental properties and trusts?

51
00:05:03.940 --> 00:05:12.660
Things like that. And what's the asset value? Now, you're not going to fill that

52
00:05:12.660 --> 00:05:16.260
out for every investigation. This is going to be for things like, say, if you

53
00:05:16.260 --> 00:05:21.179
need to get information on someone and find out their basic worth or if they

54
00:05:21.179 --> 00:05:28.619
have anything unusual, like, hey, that's strange. This guy that has no real job,

55
00:05:28.619 --> 00:05:35.779
he works at, or I should say, this person works at, say, a fast food restaurant

56
00:05:35.779 --> 00:05:41.179
and he's a fry cook, for example. Yet, well, that's odd. He's driving a

57
00:05:41.179 --> 00:05:45.540
Lamborghini and that's registering his name. Things like that, you put in there

58
00:05:45.619 --> 00:05:51.100
and you put the approximate value, because that's really unusual and having

59
00:05:51.100 --> 00:05:55.779
that value can help with your investigation. Associated assets,

60
00:05:55.779 --> 00:06:00.380
vehicles, secondary property, land parcels, et cetera. And additional notes.

61
00:06:00.380 --> 00:06:04.380
So that's going to be important because there's always going to be that kind of

62
00:06:04.380 --> 00:06:07.179
outlier information that you get that's going to be important for your

63
00:06:07.179 --> 00:06:11.019
investigation, or at least you feel it may be really important. So you want to

64
00:06:11.019 --> 00:06:18.140
have additional notes there. We also have, and actually these numbers need to

65
00:06:18.140 --> 00:06:24.700
be changed, but investigation findings narrative, things like explain the data

66
00:06:24.700 --> 00:06:31.619
points that you found during your investigation. Things like, well, I found

67
00:06:31.619 --> 00:06:35.299
their LinkedIn profile and that confirmed their employment at this

68
00:06:35.299 --> 00:06:41.260
company and that company is associated to this other thing I found. Things like

69
00:06:41.260 --> 00:06:46.579
that. Kind of how the information connects to each other. Evidence logs and

70
00:06:46.579 --> 00:06:53.220
sources. So things like anything additional that you have.

71
00:06:53.220 --> 00:06:59.579
Things like company URLs, other information, pasted URL and the dates on

72
00:07:00.100 --> 00:07:05.980
there. And conclusion recommendations, final assessments, high, medium, low

73
00:07:05.980 --> 00:07:09.859
confidence in your findings. How confident are you about the information

74
00:07:09.859 --> 00:07:15.660
that you put in the report? Are you able to validate that information? Is a lot of

75
00:07:15.660 --> 00:07:20.459
it speculative? You want to kind of put down, well, okay, my confidence rating is

76
00:07:20.459 --> 00:07:25.660
medium because of this. My confidence rating is high because I was able to

77
00:07:25.660 --> 00:07:34.739
validate it and verify in this. Recommended actions. And of course, your

78
00:07:34.739 --> 00:07:39.820
name, lead investigator name. You can put other investigators on there and date of

79
00:07:39.820 --> 00:07:46.140
completion. And also you want to put the date started and whatnot. But again, this

80
00:07:46.140 --> 00:07:51.220
is a basic template. Again, go ahead and feel free to use this if you want. Modify

81
00:07:51.220 --> 00:07:56.700
it however you need it for your particular use case. Because I do say basic

82
00:07:56.700 --> 00:08:01.980
because when it comes to investigations, chances are you are going to change

83
00:08:01.980 --> 00:08:04.980
things up depending on what your investigation, add more stuff, take some

84
00:08:04.980 --> 00:08:10.660
stuff out, things like that. A lot of times it's not a one fits all. So again,

85
00:08:10.660 --> 00:08:17.980
that's why you want a document that you can edit and tailor to your needs. So

86
00:08:17.980 --> 00:08:28.500
that was the report template. And this is another one. So OSINT services, client

87
00:08:28.500 --> 00:08:34.780
intake and case scoping. Now, I really wish I did this years and years ago when

88
00:08:34.780 --> 00:08:41.580
I started doing investigations because this kind of thing drives me nuts. So

89
00:08:42.780 --> 00:08:46.219
someone may come to you and go, hey, I need you to do an investigation. I need

90
00:08:46.260 --> 00:08:52.539
you to take a look at this one person. I think they may be doing something really

91
00:08:52.539 --> 00:09:00.979
shady. I think they might be, say, DDoSing our network. I need you to just kind of

92
00:09:00.979 --> 00:09:09.020
dig in there and figure out, yeah, are they potentially doing illegal stuff? And

93
00:09:09.020 --> 00:09:15.219
here's their name. And you go off and you start your investigation. You start with

94
00:09:15.219 --> 00:09:21.900
a name and kind of what they think might be going on with them. And you spend

95
00:09:21.979 --> 00:09:26.380
hours, you spend days or weeks collecting this information and trying to connect

96
00:09:26.380 --> 00:09:32.059
the dots there. And you come back and you might get, they might come to you during

97
00:09:32.059 --> 00:09:36.299
your investigation before you finish. You go, hey, how's your investigation going?

98
00:09:36.299 --> 00:09:40.940
You go, well, okay, well, it's going pretty good. So I got from that name, I

99
00:09:40.940 --> 00:09:49.780
figured out, hey, this is their, this is their username on X. And I found this bit

100
00:09:49.780 --> 00:09:55.059
of information about them and this. So I'm going on, I'm validating that

101
00:09:55.059 --> 00:10:00.299
information. It took me a little while to validate that, that this person on X is in

102
00:10:00.299 --> 00:10:06.859
fact them. And this other information is in fact related to them. And the person

103
00:10:06.859 --> 00:10:11.739
that gave you that investigation, oh yeah, I knew that already. And you kind of slap

104
00:10:11.739 --> 00:10:17.219
your head and go, well, if you told me that you knew this, you know, certain

105
00:10:17.219 --> 00:10:21.099
information before I start this investigation, that could have saved me a

106
00:10:21.099 --> 00:10:25.500
whole lot of time and it could have saved you a lot of time. And I could have made so

107
00:10:25.500 --> 00:10:32.260
much more progress in this investigation right off the bat. So for whatever reason,

108
00:10:32.299 --> 00:10:36.700
people don't always give you the information that they know, whether it's,

109
00:10:37.460 --> 00:10:41.340
I don't know, maybe they're testing you or maybe it doesn't occur to them that,

110
00:10:41.380 --> 00:10:47.460
oh, I should tell them, you know, as much information as I know, or sometimes

111
00:10:47.460 --> 00:10:53.020
investigators may feel like, well, you know, my job is doing investigation. I

112
00:10:53.020 --> 00:10:57.979
should really find out this information. Don't feel that way. If someone's going

113
00:10:57.979 --> 00:11:01.700
to you with an investigation, find out as much as you can from that person,

114
00:11:02.140 --> 00:11:06.580
because that will give you a so much better starting point. When you do your

115
00:11:06.580 --> 00:11:11.659
investigation, the more information you have, the better. And of course, taking

116
00:11:11.659 --> 00:11:15.260
that information, you do want to validate that what they know is in fact going to

117
00:11:15.260 --> 00:11:21.900
be true or not. Now, something like this goes a long way towards that. So this

118
00:11:21.940 --> 00:11:27.780
essentially is a intake case scoping. So this is designed to give, give to your

119
00:11:27.780 --> 00:11:32.780
client so they could fill this out and give you information to help you with

120
00:11:32.780 --> 00:11:38.900
your start of your investigation. So case reference, a date of intake, primary

121
00:11:38.900 --> 00:11:43.539
investigator, again, modify this as you need. So client information. So

122
00:11:43.539 --> 00:11:47.340
information about your client. First of all, Hey, what's their name? What's their

123
00:11:47.340 --> 00:11:51.619
organization? What's the primary contact? What's the phone number? Secure

124
00:11:51.619 --> 00:11:55.820
communication that you want to, that you're going to communicate with. What's

125
00:11:55.820 --> 00:12:01.219
their email? Encrypted preferably. Things like ProtonMail is, is great. Things

126
00:12:01.219 --> 00:12:08.900
like that. What type of investigation? Legal wise, is it for litigation, due

127
00:12:08.900 --> 00:12:15.140
diligence, safety, something else. Kind of gives you an idea of, you know, how, how

128
00:12:15.140 --> 00:12:20.900
you, how you approach this. The short answer is you should approach every

129
00:12:20.900 --> 00:12:26.739
investigation as that it may end up in court and you always want to do things

130
00:12:27.140 --> 00:12:31.739
legally. And I'm not saying that in quotes. Really you do want to do your

131
00:12:31.739 --> 00:12:37.140
investigations legally because the last thing you need is to get sued, have your

132
00:12:37.140 --> 00:12:40.940
investigation thrown out because you did something illegal. Like, Oh yeah, I logged

133
00:12:40.940 --> 00:12:44.580
in their account because I found, I found their password on their dark web. No, you

134
00:12:44.580 --> 00:12:51.299
can't do that. So again, always remember to do things legally and depending on

135
00:12:51.299 --> 00:12:59.380
your state, country, things like that, that's going to vary. So keep that in

136
00:12:59.380 --> 00:13:06.380
mind. So subject seed data. This is going to be for your client to fill out.

137
00:13:06.380 --> 00:13:10.859
Please provide as much known good information as possible to prevent false

138
00:13:10.859 --> 00:13:16.820
positives. Individual subject or subjects, full legal name and known aliases. If

139
00:13:16.820 --> 00:13:21.299
they know what their name is, if they know what their alias is, if they don't

140
00:13:21.299 --> 00:13:25.500
know any of these questions, then don't worry about it. Tell them not to worry

141
00:13:25.500 --> 00:13:30.940
about it. It's okay. Just fill out as much known good information as they have.

142
00:13:31.419 --> 00:13:36.059
A date of birth or approximate age, known locations, current and past, phone

143
00:13:36.059 --> 00:13:40.700
numbers, primary email addresses, known emails, social media handles, a

144
00:13:40.700 --> 00:13:46.780
significant associate or partners, people that associate with business entity,

145
00:13:46.780 --> 00:13:54.419
subjects, legal names, DBAs, registry, registration, state, country, any domains

146
00:13:54.419 --> 00:13:59.500
or URLs that they're associated to, and any additional information that they want

147
00:13:59.500 --> 00:14:09.619
to share with you. And they can also fill this out, check all that apply. Tier

148
00:14:09.619 --> 00:14:13.700
one, what type of investigation is going to be? Tier one, surface web presence,

149
00:14:13.700 --> 00:14:18.260
social, things like, hey, I want you to check out the social media, check the

150
00:14:18.260 --> 00:14:22.260
news, do a basic search on them. Just give me some very surface level

151
00:14:22.260 --> 00:14:27.179
information about this person or these people, this organization, whatever. Tier

152
00:14:27.179 --> 00:14:31.419
two, deep web, public records. Well, this gets a little bit deeper. Start

153
00:14:31.419 --> 00:14:37.219
checking property records, court filings, business registrations and whatnot. Tier

154
00:14:37.219 --> 00:14:43.900
three, dark web data leak analysis. In this regard, I'm going to go into and

155
00:14:43.900 --> 00:14:48.700
start looking at breach data. Hey, do they show up in any of these breaches? Are

156
00:14:48.700 --> 00:14:56.940
they mentioned in any dark web forums? Is there any PII leak exposures? Tier

157
00:14:56.940 --> 00:15:03.940
four, network and technical intelligence. This might be a investigation on domain

158
00:15:03.940 --> 00:15:11.859
structure. What can you see? Are there any potential vulnerabilities on a website

159
00:15:11.859 --> 00:15:17.900
or domain? IP history, who is look up, things like that. Tier five, financial

160
00:15:17.900 --> 00:15:22.460
asset discovery. Hey, what can you find out about this person or organization?

161
00:15:22.460 --> 00:15:30.460
Vehicles, vessels, records, filings, professional licenses, et cetera. And they

162
00:15:30.460 --> 00:15:34.539
may have you do one through five, or they may have you do, well, I want surface

163
00:15:34.539 --> 00:15:42.380
web and I want a network discovery. So one in four. So up to your client. Terms

164
00:15:42.380 --> 00:15:47.380
of disclosure, passive methods only. Unless explicitly agreed upon, all

165
00:15:47.380 --> 00:15:52.219
research is passive. The investigator will not contact the subject or use

166
00:15:52.219 --> 00:15:56.979
pretexting, social engineering. Password resets, contacting the subject or

167
00:15:56.979 --> 00:16:06.179
subjects, use of found passwords, et cetera. So most of the time, most

168
00:16:06.179 --> 00:16:10.659
investigations are going to be passive, especially if you do not want your

169
00:16:10.659 --> 00:16:18.219
target being aware. So again, unless specifically agreed upon, it's going to

170
00:16:18.219 --> 00:16:23.979
be passive. Data limitation. Intelligence is provided on an as-is basis based on

171
00:16:23.979 --> 00:16:28.340
available open sources. Information can be deleted, falsified, obscured by the

172
00:16:28.340 --> 00:16:32.859
subject or other factors. So basically you're telling your client, hey, I'm

173
00:16:32.859 --> 00:16:38.940
pulling the information that I find. I'm going to try to validate to the best of

174
00:16:38.940 --> 00:16:44.299
my ability. However, there may be false positives. Some of the reports that I

175
00:16:44.299 --> 00:16:49.940
pull may not be accurate. Some of the information the target may have

176
00:16:49.940 --> 00:16:56.179
intentionally put bad information out there. Things like myself, I put different

177
00:16:56.179 --> 00:16:59.340
names, different phone numbers, different addresses. Sometimes I'll throw in a

178
00:16:59.340 --> 00:17:04.540
middle name that's not my middle name just to screw with the information when

179
00:17:04.540 --> 00:17:11.420
people start looking for me. Things like that. That can happen. And again, you try

180
00:17:11.420 --> 00:17:15.579
to do your best to validate that information. But again, there can be bad

181
00:17:15.579 --> 00:17:20.939
information, whether it's intentional or unintentional. So that's why you tell

182
00:17:20.939 --> 00:17:24.859
your client, hey, this is on an as-is basis. I will do my best to validate that

183
00:17:24.859 --> 00:17:29.500
information. However, there is still a chance that that information is not

184
00:17:29.500 --> 00:17:34.739
going to be accurate. Confidentiality. Both parties agree to maintain a

185
00:17:34.739 --> 00:17:40.300
confidentiality of the investigation findings and the methods

186
00:17:40.420 --> 00:17:47.739
used. Confidentiality and privacy is huge when it comes to doing open source

187
00:17:47.739 --> 00:17:52.979
intelligence and investigation. So keep that in mind. Authorization. Authorized

188
00:17:52.979 --> 00:17:58.819
budget cap. If you are getting a budget, if someone is paying you and going, I

189
00:17:58.819 --> 00:18:01.579
will give you resource, I will give you X amount of money to do your

190
00:18:01.579 --> 00:18:05.300
investigation because you may need things like, well, okay, hey, I'm going to

191
00:18:05.300 --> 00:18:09.260
use this service to try to do a background check. It's going to cost as

192
00:18:09.260 --> 00:18:15.540
much. I'm going to do, I'm going to go through a business filings, but they

193
00:18:15.540 --> 00:18:22.619
want $25 to get those records. So I am going to need a budget for that. Also,

194
00:18:22.979 --> 00:18:27.579
if you have a budget cap, you put that down there. Target delivery date. When

195
00:18:27.579 --> 00:18:33.380
you expect to deliver the information or what the hard stop is. Client

196
00:18:33.380 --> 00:18:39.819
signature and date and investigator signature and date. So again, these are

197
00:18:39.819 --> 00:18:45.459
just some basic templates and questionnaires to help you with your

198
00:18:45.459 --> 00:18:49.219
investigations. Hopefully you found this useful. Thank you so much for watching.

199
00:18:49.260 --> 00:18:50.339
I'll see you next video.