Use data aggregators to pull together info from courthouses across the country, add extensions to better utilize video and images and safely search social media
Federal and local law enforcement agencies have whole divisions dedicated to fighting cybercrime. But the internet is an extremely valuable resource for much more than gathering intelligence on cyber terrorists or investigating computer-based fraud. Social media sites, online data aggregators and special browser plugins and extensions can help law enforcement officers:
- Quickly gather data on any person or organization
- Uncover associations between addresses, phone numbers and user personas
- Find locations where images were taken
- Connect information from different sources to paint a complete picture of someone’s profile
Our experts compiled a list of various tools and sites, briefly explaining their benefits and how they can help advance your investigations.
OSINT training for law enforcement
Before we jump into tools, if you’re new to OSINT, training is the best place to start. The training programs below can help law enforcement professionals skill up on OSINT fundamentals, methodologies and the intelligence cycle, as well as learn advanced skills.
Firing up a tool is no way to start an OSINT investigation — you’ll end up heavy on data and light on insight. Instead, understand the direction of your mission and plan how to achieve it. Ask yourself:
- What am I trying to find out? What questions will I ask to get there?
- Where will I start? What platforms will you use?
- How savvy is my target? How likely are they to make mistakes, or how likely are they to know they’re being watched (and potentially watch back)?
- What are my goals? What will I and my organization do with my findings?
These training programs can ensure you can answer these questions and move methodically through your investigation:
IACIS OSINT Training
The IACIS OSINT course is a valuable training resource for investigators, law enforcement, cybersecurity experts and forensic examiners. It equips professionals with essential skills to gather and analyze OSINT legally and effectively.
The course covers topics such as defensive and offensive OSINT techniques, efficient use of search engines, identifying individuals online, exploring the dark web and utilizing scripting techniques. It also helps professionals stay current in the OSINT field and conduct OSINT needs analysis for their organizations. By mastering these skills, participants can enhance their investigative work, identify new leads and gain valuable perspectives for more successful outcomes in their cases.
SANS OSINT training and resources offer a comprehensive program designed to empower analysts with skills necessary for OSINT techniques. The general course, SEC497: Practical Open-Source Intelligence (OSINT), draws on two decades of experience in OSINT research and investigators across various sectors, including law enforcement and the private sector.
SEC497 provides real-world techniques to conduct OSINT research effectively and safely. Covering critical tools, offering hands-on labs based on actual scenarios and catering to a wide audience, this course engages in practical techniques applicable to daily work. Researchers will learn how to better understand systems to make informed decisions with the help of cutting-edge research and outlier techniques. Key takeaways from this course include improving OSINT investigations, building skilled OSINT teams, accurate reporting of online infrastructure and more. Participants will be given opportunities to create sock puppet accounts, locate hidden information, explore the dark web and use facial recognition tools.
If you don’t feel challenged enough by the general course, the SANS Institute also offers a more in-depth version, SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis. In today’s digital landscape, OSINT is crucial for investigations, but its complexity is increasing: SEC587 addresses the need for scalable OSINT and reliable analysis.
Covering advanced OSINT topics including programming in JSON and Python, dark web and cryptocurrency investigations, disinformation analysis, and advanced image and video OSINT, SEC587 is suitable for both experienced investigators and newcomers. The course equips professionals to conduct in-depth internet research, develop OSINT-focused Python scripts, navigate the dark web safely, code for automation and perform effective financial OSINT investigations.
Online data tracking aggregators to jumpstart your research
Depending on what information you need, there are plenty of websites that can fast-track your initial investigation. Several open-source online investigative tools specifically look at people-centered data. They work by scanning court websites and aggregating what they find.
These sites are legal and review public documents based on the Freedom of Information Act (FOIA). They gather information, including phone numbers, possible addresses, possible family members and known associates. And they save time, so you don't have to visit individual court websites.
What’s also nice about these tools is you don’t have to create a persona — you can access them directly and pull down your first level of information with little risk.
Cyber Background Checks
Cyber Background Checks provides access to billions of public records about millions of adults throughout the U.S. It's sorted to isolate the information you need and organize it into a comprehensive, easy-to-interpret summary. You can find people and where they live by searching their names, discover who lives at a particular address, see who owns an email address and look up unknown phone numbers.
FamilyTreeNow is a free genealogy site, where you can search for family members, associates, addresses and phone numbers of any individual.
Note: FamilyTreeNow blocks access from VPNs. Learn why using a global managed research network is different and enables in-region access that avoids VPN blocking issues >
Spokeo has organized over 12 billion records from thousands of data sources into easy-to-understand reports that include available contact info, location history, photos, social media accounts, family members, court records, work information and much more.
OSINT Techniques provides numerous free open-source resources for researching and analyzing data. Although the information on the website can be used for a variety of purposes, it would be most helpful to investigative roles such as analysts and researchers.
Intelius provides public data about people and their connections to others. Investigators can check criminal records, background checks, property data and more.
Accurint is part of LexisNexis and serves as the most widely accepted locate-and-research tool available to government, law enforcement and commercial customers. Its proprietary data-linking technology returns search results in seconds to the user's desktop.
Pipl is the essential investigative tool used by insurance and financial institutions, government agencies and media companies. It speeds your investigation tasks by helping quickly locate persons of interest, uncover connections between people, addresses, phones and social handles, and even determine the credibility of sources, witnesses and suspects.
Lyzem is an advanced OSINT research tool that prepares investigators by simplifying the collection and analysis of open-source intelligence. It’s great at filtering key details such as channels, groups, bots and telegrams. This tool also features data aggregation from diverse online sources; precise search capabilities; and automation, customization and reporting.
Lyzem’s user-friendly interface and integration with other OSINT tools make it a valuable asset for investigators in law enforcement, allowing them to efficiently uncover insights, connections and patterns.
Epeios is a search engine for reverse email searches, finding related Google reviews and finding accounts linked to email addresses on more than a dozen social media platforms.
This tool collects data from diverse online sources including social media platforms, websites and public databases, broadening the scope of data that investigators can access. Epios is highly customizable, particularly useful in investigations where standard search queries may not suffice. It also integrates well with other OSINT tools, allowing investigators to use and adapt Epeios to effectively work with the intricacies of their case.
JailBase is a vital OSINT tool for investigators, offering access to publicly available arrest and inmate data in the United States. It enables searches for arrest records, inmate information and historical data, along with customizable notifications for updates matching specific criteria — this includes alerts when new arrest records become available. Investigators can efficiently access critical details such as booking dates, charges and mugshots, aiding in background checks for criminal investigations.
This tool’s geographic search makes it a valuable resource for various investigative needs, allowing researchers to narrow down results to specific jurisdictions or areas of interest. For investigators operating on varying budget scales, JailBase caters to a wide audience by offering free access to basic arrest information while providing more advanced features through a subscription-based service.
Mugshots.com compiles publicly available mugshots from the United States. It offers an extensive directory, helping users gain access to crucial information such as arrest dates, charges and other related news. Additionally, investigators can explore an individual’s criminal history, including past arrests and court dispositions.
Another budget-friendly and geographically inclined tool, Mugshots.com allows for investigators to obtain valuable information, even on the go — this tool offers mobile accessibility, helping OSINT analysts access essential arrest and mugshot data wherever they are. Furthermore, Mugshots.com permits users to export arrest and mugshot records for supplemental analysis or reporting purposes.
Analyzing images and videos
EXIF viewer tools
The Chrome store offers multiple extensions to view EXIF data — the metadata behind images that includes GPS coordinates, date of capture, camera make and model, etc. However, there are concerns about using these tools in standard browsers, as third parties could be aware of who's looking at EXIF data. To manage attribution, use a purpose-built image metadata viewer for researchers like this one from Silo for Research:
It's important to remember, too, that EXIF data can be manipulated or removed entirely by the uploader or platform (many social media sites automatically remove EXIF data due to user privacy concerns). Like any data collected for OSINT, EXIF data should always be corroborated and verified.
In a recent SANS Summit, Craig Pedersen laid out how to use VLC Player to better analyze video. The player allows you to “slice” videos into single frames to help focus your analysis. Applying a grid overlay also helps you focus on individual elements in the frame (e.g., license plate, person, weapon) and reference collected evidence in reports.
The metadata that can be extracted from videos using VLC player often contains valuable information such as date and time stamps, geolocation data and camera details. Combined with this tool’s enhancement features (which improve audio quality) , investigators can more effectively verify the authenticity of certain media and understand its source and potential patterns.
Pedersen provided the steps below for creating frames from VLC Player:
- Go to TOOLS
- Go to PREFERENCES
- In the bottom left corner, click ALL (simple/ALL)
- Click VIDEO from the filters
- Click on SCENE FILTER
- Set image width/height to 1
- Set filename prefix to Frame
- Set recording ratio 1
- On left-hand side, go to FILTERS
- Check the SCENE VIDEO filter
- Restart the VLC Player
Using social media in law enforcement investigations
For online investigators, social media sites like Facebook, Snapchat, Instagram or TikTok could be a treasure trove of information. But just like traditional detectives, investigators must be extra careful to maintain anonymity and keep their identity and intent hidden while researching social media. Not only could a clumsy move spook the bad guys into going deeper undercover, it could also trigger retaliation (cyber or material), putting law enforcement agents at risk.
There are several specialized tools out there to help online investigators browse social media sites without risk. They can be a great addition to investigators’ portfolios when following suspects and persons of interest on social media platforms.
Remember to use caution while searching social media where you must log in to view information. Your target may be able to see who viewed their profile, or you may pop up in recommended connections due to your interaction with their profile or posts.
Social Searcher is a real-time social media monitoring engine. It allows you to search for users, keywords, and trends across 11 different social media platforms. It searches for content in social networks in real time and provides deep analytics data. Users can search without logging in for publicly posted information on Twitter, Google+, Facebook, YouTube, Instagram, Tumblr, Reddit, Flickr, Dailymotion, and Vimeo.
Free users can also save their searches and set up email alerts. Premium features include saving social mentions history, exporting data, API integration, advanced analytics, and immediate email notifications.
Inflact is a multi-purpose service, including an excellent Instagram search tool. Influencers, bloggers and regular users can choose tools based on their needs. It offers free and paid services for building a social media audience, managing content and communicating with clients. And it’s great for investigators, too!
X/Twitter Advanced Search
X/Twitter Advanced Search is available when you're logged into twitter.com. It allows you to tailor search results to specific date ranges and people. You can also search words, phrases and hashtags, what's trending in particular locations, and then see profiles posting on the topic.
TikTok has taken off in the last couple of years, and while it’s generally just good fun and a lucrative platform for some folks to make money, TikTok is also used by criminal organizations as a platform for their propaganda, drug sales and a way to connect with potential victims. Searching TikTok is very straightforward: if you're looking for a specific profile, use TikTok.com/@ and then a username. If you're looking at a particular hashtag, enter TikTok.com/tag/ and the keywords or phrases you're searching for. Searches on TikTok don’t require a login.
Social Bearing is an open search and statistics tool. It can analyze Twitter mentions, find top tweets, hashtags, trends or X/Twitter conversations, show the most popular tweets containing specific pictures or links, uncover facts, find geolocated tweets, and analyze any user’s timeline.
Telegago is another potent OSINT tool that offers comprehensive data retrieval, advanced search and filtering, social media analysis and alert notifications, and can be integrated with other tools. Telegago enhances efficiency by providing a centralized hub for data collection and analysis, enabling investigators to track individuals and events across online platforms, make informed decisions and stay updated in real-time.
Telegago can be employed to track and monitor specific Telegram (popular among criminals) channels and groups. Investigators can use it to collect data such as posts, comments, media content and user interactions within these channels.
Advanced search and filtering capabilities enable investigators to perform precise queries within Telegram, allowing them to narrow down their focus and quickly locate specific content or users of interest. Telegago’s data visualization capabilities can help investigators identify patterns and connections within Telegram communities, aiding in the analysis phase of the investigation.
Telepathy is a versatile OSINT tool dubbed the “Swiss Army Knife” for Telegram. It aids OSINT analysts by archiving Telegram chats, gathering member lists, finding users by location and mapping forwarded messages. The ability of this program to perform various data scanning tasks, from basic chat info to comprehensive history archiving and creating CSV-based edge lists for forwarded messages, makes it especially useful.
Telepathy also uses asynchronous data handling to ensure data integrity even when Telegram imposes rate limits. User-friendly output formats simplify data processing and visualization.
TG Stat also focuses on Telegram, offering a specialized solution for extracting valuable information, tracking user activities and monitoring discussions within Telegram channels and groups. Investigators can leverage TG Stat to uncover insights and track potential threats, especially in contexts where Telegram is a prominent communication channel.
TG Stat includes features for data extraction, advanced search, visualization and user profiling. It provides real-time monitoring so investigators can stay current on activities within targeted communities.
Followerwonk (OSINT Base)
Followerwonk (of OSINT Base) focuses exclusively on X/Twitter analysis. It helps to understand user behavior and connections on this widely used social media platform.
Compare accounts, search by location and bio information, and visualize data to track and profile individuals or groups active on Twitter. Followerwonk visualization tools are helpful in making sense of complex user relationships. Data can also be exported for more extensive reporting.
These days, it’s easy to find anyone or anything online. That’s important to remember in terms of what you can find out about your suspects and what they can find out about you. Many sites that offer you information on people and organizations are known to sell registration information, which of course, is not desirable for law enforcement investigators.
Maintaining anonymity is essential for any online investigation. While performing your research on the web, law enforcement professionals need to control what investigative subjects can learn about them by what their browser discloses (hint: it’s a lot).
Watch the video to learn how managed attribution helps investigators avoid tipping off their target.
Managing attribution is the definitive way to properly disguise your identity and intent — without creating a false persona, relying on a “dirty” network or using a burner device. By controlling the details of your digital fingerprint, you can blend in with the crowd and perform your investigation without tipping off your suspect or blowing the case.
To learn more about Authentic8’s solution for online law enforcement investigation, Silo for Research, request a demo here.Law enforcement Social media