The Complete OSINT Investigation Guide: Techniques, Tools, and Evidence Collection

Open Source Intelligence — OSINT — is the systematic collection, analysis, and production of intelligence from publicly available sources. It is not a niche discipline. It is practised every day by government intelligence agencies, law enforcement, private investigators, corporate security teams, journalists, and fraud analysts. And increasingly, by individuals who need to verify information, investigate fraud, or understand who they are dealing with.

This guide covers OSINT comprehensively: what it is, the intelligence cycle that structures professional OSINT work, the collection techniques that professionals use, the tools across the cycle, and — the phase most often skipped — how to document findings as you go so they remain usable in formal processes.

What OSINT Is and Why It Matters

OSINT is intelligence derived from publicly available sources — information that anyone could access without breaching any law or accessing any private system. This includes: websites, social media, news media, academic publications, government databases, company registries, court records, domain registration data, satellite imagery, and more.

The scope is vast, and the quality of intelligence possible from open sources is often underestimated. A skilled OSINT analyst can establish identity, employment history, financial relationships, social connections, location patterns, and behavioural characteristics entirely from public information — often more rapidly and with greater depth than traditional investigation methods.

OSINT is used across sectors:

• Government intelligence agencies use it for strategic warning, counter-terrorism, and foreign political analysis
• Law enforcement uses it for pre-investigation research, suspect identification, and digital evidence gathering
• Corporate security uses it for vendor due diligence, insider threat detection, and competitive intelligence
• Private investigators use it for background checks, fraud investigations, and subject research
• Journalists use it for investigative reporting, source verification, and accountability journalism
• Cybersecurity professionals use it for threat intelligence and attacker attribution

The Intelligence Cycle Applied to OSINT

Professional OSINT work is structured around the intelligence cycle — a framework developed in government intelligence contexts but equally applicable to private sector and investigative use.

Phase 1: Planning and direction

Every OSINT investigation begins with a clear research question. What are you trying to establish? Who or what is the subject? What would constitute a satisfactory answer? Investigations without clear direction produce scattered results that are difficult to assess or act on. Define your requirements before you start collecting.

Phase 2: Collection

Collection is the systematic gathering of raw data from open sources relevant to your research question. This is the phase most people think of when they think of OSINT — the actual searching, browsing, and retrieving of information. Effective collection requires both breadth (consulting enough sources) and discipline (capturing everything relevant at the point of discovery).

Phase 3: Processing

Raw collected data must be processed into a usable form: translated (if in a foreign language), transcribed (if from image or video), organised (sorted by relevance, date, or subject), and evaluated for reliability. This phase is often skipped in amateur investigations, leading to pools of unstructured data that are difficult to analyse.

Phase 4: Analysis

Analysis is where raw data becomes intelligence: identifying patterns, resolving conflicts between sources, drawing conclusions, assessing confidence levels, and building a coherent picture. Good analysis distinguishes what is known from what is inferred and what is assumed. It considers alternative explanations and remains open to revision as new information emerges.

Phase 5: Dissemination

Intelligence is produced to be used. Dissemination is the reporting phase: summarising findings, presenting evidence, and delivering conclusions in a format that serves the consumer — whether a client, a court, a corporate decision-maker, or a law enforcement referral. Good reports separate findings from analysis from recommendations, and cite evidence clearly.

Practical Collection Techniques

Search operators and Google dorking

Basic Google searches rarely surface the depth of information available. Advanced search operators unlock far more: site: restricts results to a specific domain, "exact phrase" finds verbatim matches, inurl: finds URLs containing a specific string, filetype: finds specific document types, and daterange: or the built-in date filters restrict results to specific time periods. Combining operators produces highly targeted results that a plain name search would never surface.

Social media OSINT

Social media is the richest open-source environment available for human subject research. Beyond simply viewing profiles, professional OSINT techniques include: searching for a subject's username across multiple platforms, examining tagged photos to identify associates and locations, analysing posting patterns for schedule and location intelligence, cross-referencing profile images through reverse search, and examining public interactions with other accounts to map relationships.

Corporate registry and financial intelligence

Business registration databases are publicly accessible and systematically underused. Company registration records reveal directors, shareholders, registered addresses, incorporation dates, and corporate structures. In Australia, ASIC Connect and ABN Lookup are free and comprehensive. Cross-referencing a subject's name against corporate registries can reveal business relationships, associated entities, and financial activities that are not visible from social media alone.

Geolocation and image analysis

Images contain embedded intelligence. EXIF metadata in image files often includes GPS coordinates, timestamp, and camera model — useful for establishing when and where a photo was taken. Even images with stripped metadata can be geolocated through visual analysis: recognising landmarks, signage, architectural styles, vegetation, and terrain in photos. Google Street View and satellite imagery allow analysts to match visual elements to specific locations.

Domain and infrastructure intelligence

WHOIS data, historical domain records, IP registrations, and website technology fingerprinting reveal who operates online infrastructure, how long it has existed, and what it connects to. Services like DomainTools, Shodan, and BuiltWith provide intelligence about web infrastructure that can connect anonymous online presences to real-world identities and organisations.

Dark web monitoring

While most OSINT work occurs on the surface and deep web, some investigations require monitoring dark web forums, marketplaces, and data breach repositories. This requires specialist tooling and understanding of access mechanisms (Tor browser), and carries legal and safety considerations that require careful management. It is relevant primarily to cybersecurity investigations, fraud intelligence, and certain law enforcement contexts.

The Documentation Gap — Why Most OSINT Workflows Fail

The most common weakness in OSINT workflows — professional and amateur alike — is documentation. Investigators focus on finding information, but capturing it correctly, at the point of discovery, is equally critical.

Web content changes and disappears constantly. Social media posts are deleted, accounts are suspended, websites are taken down, and content is edited. Information that exists today may not exist tomorrow. If you find something relevant and do not capture it correctly at that moment, you may not be able to prove it existed.

Correct documentation means more than saving a screenshot. It means capturing the full URL, a verified timestamp, a cryptographic hash of the captured file, and the browser and device metadata — automatically, at the point of discovery. This creates a contemporaneous record that can be authenticated independently of your testimony about what you found and when.

Closing the Documentation Gap with the Right Tools

WebInvestigator is a Chrome extension built specifically to close this gap in OSINT workflows. It operates directly in the browser, capturing screenshots and full-page PDFs with automatic SHA-256 hashing, UTC timestamps, and source URL metadata at the moment of capture. Evidence is organised by investigation case, and a chain of custody log is maintained automatically.

For OSINT analysts who produce findings that need to be defensible — presented to clients, courts, law enforcement, or corporate decision-makers — this documentation infrastructure is not optional. See our guide to OSINT investigation tools for a broader overview of the tool landscape, and our SOCMINT guide for social media intelligence specifically.