The Importance of OSINT Investigative Strategy

OSINT integrates with other intelligence disciplines, emphasising strategic planning, ethical practices, and structured investigations.

The Intelligence Cycle: Framework for Strategic Operations

The intelligence cycle empowers intelligence operations with a structured methodology that maintains focus, efficiency, and goal orientation. This includes five stages in total, which can be defined as Planning and Direction, Collection, Processing and Exploitation, Analysis and Production, and Dissemination and Feedback. Of all these phases, Planning and Direction is fundamental and sets down the aims and objectives that should be achieved throughout the conduct of the operation itself (Intelligence Fusion, 2024; King's College London, 2024; Sheffield Hallam University, 2017).

One of the purposes of strategic planning in OSINT activities is to provide direction and delineate the scope of operation. A well-stipulated Planning and Direction phase ensures the IRs are clear, specific, and in line with high-level mission objectives. This is substantially important since the online data is normally huge and at times overwhelming. According to Maltego, one of the rules of OSINT investigations is to spell out clearly the scope of the mission. This ensures that there is no mission drift, and the operation remains focused on the core objectives of the mission. (Maltego, 2024).

Intelligence Requirements and Priority Intelligence Requirements

Within the Planning and Direction phase, two important tasks include the identification of Intelligence Requirements (IR) and Priority Intelligence Requirements (PIR). IRs outline the needed to answer key operational questions, while PIRs identify the most critical intelligence required for decision-making and mission success. For instance, in a financial crime investigation, a PIR might involve identifying the key financiers of an organised crime syndicate, narrowing down the intelligence to be collected (Sheffield Hallam University, 2017).

This is particularly important in OSINT, given the vast volume of available data, and the PIRs must be expressed with precision. PIRs act as a filter, ensuring precision in intelligence collection and focusing resources on the most critical areas. To which end, Maltego guidelines emphasise the need to refine search criteria and use purpose-built OSINT tools that maximize collected data precision and relevance (Maltego, 2024). By properly defining IRs and PIRs, investigators can concentrate on resources to gather intelligence where the intelligence is most likely to affect the success of the investigation.

Request for Information Process

The process of RFI addresses gaps identified in Planning and Direction. If existing resources do not have the capacity to fulfil the requirement, RFIs are sent to gather such information from relevant parties, agencies, or groups. This is especially true in OSINT-type investigations, where the vast and amorphous potential source of data available on the internet necessitates working closely with other intelligence disciplines. For example, if OSINT data on suspect financial transactions is insufficient, an RFI may be sent to a FININT agency to gather additional intelligence and complete the investigation.

Commander's Intent for OSINT Investigations

The Commander's Intent, drawn from military doctrine, is a key component of intelligence operations. It provides a clear statement of the operation’s objectives and the desired outcome. A solid understanding of the Commander's Intent ensures that all intelligence efforts, including writing IRs and PIRs, align with the broader mission objectives (Sheffield Hallam University, 2017; Intelligence Fusion, 2024).

In OSINT investigations, maintaining alignment with the Commander’s Intent is crucial for ensuring strategic focus and mission success.

Ethics in OSINT: Introducing the JAPAN Principles

Of course, ethical judgements in such operations are an important factor, especially when it comes to OSINT domain since encroachment on privacy is very likely. The JAPAN Principles (also known as PLANE or ALPEN) ensure that OSINT operations follow best ethical and legal practices:

Justifiable:
- Definition: Investigative actions must have a clear and legitimate purpose.
- OSINT Application: Analysts should only collect data if it directly supports the investigation’s objectives, avoiding unnecessary intrusions.
Authorised:
- Definition: All intelligence activities must comply with legal frameworks.
- OSINT Application: Investigators must be aware of and adhere to relevant laws, ensuring their actions are legally permissible.
Proportionate:
- Definition: Methods and tools should be proportional to the threat level.
- OSINT Application: Investigators should balance the need for information with respect for privacy, avoiding excessive data collection.
Auditable:
- Definition: All investigative actions should be documented for accountability.
- OSINT Application: Maintaining detailed records ensures transparency and allows for reviews if necessary.
Necessary:
- Definition: Only the information essential to the investigation should be gathered.
- OSINT Application: This principle prevents the over-collection of irrelevant data, focusing only on what’s required to achieve the investigation’s goals. (Kent Police, 2017).

Following these principles ensures that OSINT investigations respect privacy without compromising operational efficiency.

The 12 OSINT Steps to Collect Online Evidence

To ensure a methodical and effective approach to online investigations, Maltego outlines 12 OSINT steps. These steps help investigators navigate the immense volume of online data while structuring their investigations. The steps can be summarised as follows:

‍Define Investigation Scope: The investigation's goals and scope need to be described in detail, specifying the key information that needs to be obtained to lead the case in the correct direction, including probable crimes, and any information to be obtained through the use of subpoenas.‍
Initial Research: Do preliminary general research first. Generate data from general search engines, social media sites, and public databases to set the case on a baseline.‍
Tailor Your Queries: To reduce search results, tailor the queries according to some selected keywords, usernames, or terms relevant to the investigation. At this stage, advanced techniques are very useful. For example: dorking.‍
Use OSINT Tools/Platforms: Conduct IP address lookups, reverse image searches, and domain research by using a broad range of OSINT tools and platforms to make sure data is gathered from as many sources as possible.‍
Timestamps and Metadata Analysis: The extraction and analysis of timestamps and metadata from digital files—images and videos—due to the immense potential of realizing timelines, are done to find patterns, normally for discovering elements of hidden information.‍
Real-Time Collection: This can be done through constant monitoring of the particular social media accounts, forums, online communities, and others, with the purpose of acquiring information as it is generated, tracking digital movements, and tracing connections.‍
Data Breach Databases: Search data breach databases to identify any potential breaches by the subjects as data to be compromised to yield further leads and information.‍
Personal Websites and Blogs: Check sites and blogs established by the subjects or associated with criminal activities in general for additional information, clarification of associations, or to discover other parties to the crime.‍
Follow Digital Footprints: Investigate access logs, IP addresses, the activities made online, and, by mapping the digital footprints, mention the identification of site locations where the suspects are involved in illegal activities.‍
Document and Analyse Findings: Document each finding with timestamp, URL, account details, etc., and analyze this to establish relationships to get an overall picture of the case.‍
Verify and Validate Information: The gathered information is verified from multiple sources on grounds of its truthfulness and reliability since it provides a base for the trusted case.‍
Team up and Inform the Experts: In complicated investigations, the gaps in information can be bridged by either seeking help from experts or other investigators so that the source can be scrutinized and cleaned.

These steps provide a structured approach to allow for thoroughness and precision in the gathering, analysis, and verification of online evidence. Observing this methodology allows investigators to navigate this immense and usually overwhelming landscape of online data with confidence and accuracy.

Best Practices in Investigative Strategy

A successful OSINT strategy includes clearly defined goals, risk assessments, and scope. Best practices involve combining intelligence from multiple sources, using ethical guidelines, and applying visual tools like mind maps and flowcharts to organise and analyse information. Structured techniques like scenario planning and red teaming help eliminate cognitive biases and strengthen intelligence reliability.

The 6 W's and 2 H's Framework for OSINT Investigations

The traditional 5 W's framework (Who, What, When, Where, Why) alongside the single H (How) has long been a staple in investigative processes, especially within Open Source Intelligence (OSINT). Expanding this to include an additional W (Which) and H (How Much) makes the framework more comprehensive, allowing for a meticulous approach in OSINT investigations. The 6 W’s and 2 H’s guide investigators in systematically gathering and evaluating data, ensuring all key aspects are covered. For example:

Who: Identifying Key Individuals or Entities
Question: Who are the primary subjects or entities involved?
Application in OSINT: Identifying key participants is crucial, whether they are individuals, organizations, or networks. OSINT analysts can utilize this question to focus on pinpointing suspects in a cybercrime network or determining key stakeholders in a corporate investigation.

What: Determining the Activities or Events
Question: What specific activities, events, or behaviours are being investigated?
Application in OSINT: Clarifying what is under investigation directs attention to relevant data. This could include identifying illicit activities like fraud or monitoring specific events such as protests. Clearly defining "what" ensures the investigation remains focused, leading to more effective data collection.

When: Establishing the Timeline
Question: When did these activities or events occur?
Application in OSINT: Timelines are essential for understanding the sequence of events and their interrelations. OSINT investigators can use this to map the chronology of actions, recognize patterns, and identify critical moments in an investigation, such as the initial detection of suspicious financial transactions.

Where: Locating the Events Geographically
Question: Where did these activities take place?
Application in OSINT: Geographic information sheds light on the scope and impact of an investigation. In OSINT, analysing locations helps determine the jurisdiction, uncover connections between physical and online spaces, and identify where significant activities occurred.

Why: Uncovering the Motives
Question: Why did these activities happen? What are the underlying motives?
Application in OSINT: Investigating the "why" reveals the motivations behind actions. This may involve examining reasons such as financial gain or political influence. Understanding the motive aids in predicting future behaviour and contextualizing the investigation.

How: Understanding Methods and Techniques
Question: How were the activities conducted? What methods were used?
Application in OSINT: Analysing the methods provides insight into the capabilities and tactics of those involved. In OSINT, this might mean investigating how a cyberattack was carried out or how disinformation was spread online. Understanding "how" is vital for developing countermeasures and response strategies.

Which: Identifying Appropriate Sources and Tools
Question: Which sources and tools are best suited for data collection?
Application in OSINT: This question involves selecting the most reliable sources and tools for the investigation. By determining "which" platforms, databases, or technologies to employ, OSINT analysts can ensure the data gathered is both relevant and credible.

How Much: Assessing the Scale and Impact
Question: How much data is needed, and what is the scale of the activities?
Application in OSINT: Understanding the scale and impact of the issue is critical for prioritizing resources. In OSINT, assessing "how much" can quantify the scope of the investigation, such as evaluating the reach of a disinformation campaign or the size of a criminal network, ensuring that investigative efforts are effectively targeted.

The 6 W's and 2 H's framework serves as a robust guide for OSINT investigations. By addressing each element systematically, investigators can cover all essential aspects of a case, laying a strong foundation for informed decisions and actionable insights. This methodical approach enhances the overall effectiveness of OSINT efforts, leading to more precise and impactful outcomes.

Conclusion

The Planning and Direction phase of the intelligence cycle is the cornerstone of effective OSINT operations. Its success is amplified by the integration of OSINT with other intelligence sources, adherence to ethical principles, and the systematic application of the 12 OSINT steps outlined by Maltego. A strategy rooted in the 6 W’s and 2 H’s framework, combined with careful management of IRs, PIRs, and the RFI process, ensures a comprehensive and precise approach to intelligence operations.

Visual tools such as mind maps and flowcharts further enhance clarity and efficiency, making the OSINT investigative strategy more robust and systematic. As the digital landscape continues to evolve, the role of OSINT within the broader intelligence community will grow, solidifying its status as a critical component of modern intelligence operations.

‍References

Intelligence Fusion (2024) Open-Source Intelligence Training. Available at: https://www.intelligencefusion.co.uk (Accessed: 3 August 2024).
King’s College London (2024) OSINT – Tools & Techniques. Available at: https://www.kcl.ac.uk (Accessed: 2 August 2024).
Mandiant (2024) Open Source Intelligence (OSINT) Tools & Techniques Course. Available at: https://www.mandiant.com (Accessed: 2 August 2024).
Maltego (2024) 12 OSINT Steps to Gather Online Evidence. Available at: https://www.maltego.com/blog/using-google-dorks-to-support-your-open-source-intelligence-investigations (Accessed: 2 August 2024).
SANS Institute (2024) Open Source Intelligence (OSINT) Training. Available at: https://www.sans.org (Accessed: 2 August 2024).
Sheffield Hallam University (2017) Fusion of OSINT and non-OSINT data. Available at: https://shura.shu.ac.uk (Accessed: 3 August 2024).
The Association of British Investigators (2024) The Evolution of OSINT. Available at: https://www.theabi.org.uk (Accessed: 1 August 2024).
Kent Police (2024) Ethical Intelligence Practices in OSINT. Available at: https://www.kent.police.uk (Accessed: 1 August 2024).
Small Wars Journal (2024) Operationalising OSINT Full-Spectrum Military Operations. Available at: https://www.smallwarsjournal.com (Accessed: 1 August 2024).
The Cove (2024) The Tactical Application of Open Source Intelligence (OSINT). Available at: https://cove.army.gov.au (Accessed: 1 August 2024).