Today I would like to talk about how to become a good OSINT investigator, but to continue the conversation I would like to make a small disclaimer — I will tell you only some aspects because the topic is very vast and I can not describe everything in one article, however, I will try to show you the way and how to pass this path.

To begin with, I want to say that I will consider OSINT as a set of skills or a mindset, because it can be directly related to doxing, military GEO-INT performed by a security company employee or just media OSINT performed by a VC fund employee in order to find new projects for investment, taking the theory of handshakes as a basis.

Or even a crypto forensics specialist investigating a major Web3.0 hack case. In other words, it can be used in all spheres of life because it is only a method of working with, assessing and ranking information — do not ever forget that we are all living in the Information Era.

• How I found early Solana ecosystem Developers using OSINT tactics

All of what I said above you can develop in yourself, but the essence of all directions is the same — the ability to notice in the flow of information valuable information, anomalies, see the differences, carefully analyze the facts and build a logical chain. Today I would like to give you the first lesson, all resources which I will advise you — I studied by myself earlier:

Check out:

• So You Think You Can Google? — Workshop With Henk van Ess

• Episode 51: What do you need to become an intermediate OSINTer? How can Shodan contribute to OSINT investigations? — The OSINT Curious Project — Podcast

• First Steps to Getting Started in Open Source Research — bellingcat
• How to Use Mind Maps to Unleash Your Brain’s Creativity and Potential

Didn’t everyone make cheat sheets at school? It’s time to do it again, because in the future it should evolve into a Maltego skill.

• Everything about Open Source Intelligence and OSINT Investigations (2021)

• Maltego — Cyber Weapons Lab — Research like an OSINT Analyst

Tips from CIA_Officer:

I can recommend that you turn to an interesting subculture that is suitable for introverts! I am sure that everyone is interested in various strange phenomena in one way or another. Immerse yourself in a net-stalking environment. Sometimes ordinary people were able to solve crimes which the police could not solve for years with OSINT and GEOINT alone (I could put in here links to subreddits, movies and news bulletins but since you and I are now doing OSINT I advise you to find it yourself. A little tip — use searches with different IPs, over different time ranges on different search engines.

The main thing is to remember your health, it is above all, do not let your principles be shaken by what you see. You are an observer. Here well helps to understand the psychology of SCP researchers (when nothing is clear, but the scientific method helps to put everything in its place).

Some NetStalking Resources (use deepl.com for a better translation):

• telegra.ph/What-is-Netstalking-Netstalking-Information-Survivors-04-06
• t.me/netstalking_godnota
• github.com/netstalking-core/netstalking-osint
• telegra.ph/NetStalking-Tihij-dom-i-prichyom-zdes-davno-zabytyj-sinij-kit-04-07
• t.me/randomaesthetic
• telegra.ph/Netstalking-kak-yavlenie-ili-pochemu-kiberpank-neizbezhen-08-31
• t.me/netstalking_documents/35
• t.me/netstalking
• t.me/netstalking_documents/30
• github.com/pantyusha/ultimate-netstalking-guide
• github.com/topics/netstalking
• en.m.wikipedia.org/wiki/Netstalking
• github.com/netstalking-core/netstalking-catalogue/blob/master/README.en.md

• What is Netstalking?

Keep in mind that in this part of the Global Internet (I mean OSINT in general, not only the Net-stalking), the percentage of people who are actively looking for problems or need to express their emotions is no different from other places. So, follow OpSec rules and don’t make too many mistakes. Conduct your activities from a separate, isolated device.

• The Hitchhiker’s Guide to Online Anonymity

Once you can distinguish the information, sort it out then the next thing you can do is start practicing. As you know, good practice requires good motivation, and most likely at this point our paths will separate.

Good training materials:

• tryhackme.com/room/googledorking
• tryhackme.com/room/searchlightosint
• tryhackme.com/room/shodan
• tryhackme.com/room/geolocatingimages
• tryhackme.com/room/somesint
• www.youtube.com/playlist?list=PLrFPX1Vfqk3ehZKSFeb9pVIHqxqrNW8Sy
• osintframework.com

Here is a very good brain-stretching game will help to train associative thinking — a very important skill for anyone in OSINT:

• This game is easy and fun! 🙂

Check out OSINT communities:

• Channels about OSINT, Hacking, Security and so on

Follow top OSINT specialists:

• nitter.net/cyb_detective — tools and awesome data
• nitter.net/UKOSINT — news, tools, jokes
• nitter.net/dutch_osintguy — famous specialist, speaker

Some will enjoy analyzing images, satellite images, calculating time and place from the angle of shadows from a photo, or measuring mountain peak size in order to perform private detective investigations. Or doing OSINT in crypto, for example, in which case your motivation will be money and self-fulfillment. Read my channel if you like this topic. Or someone can get into AD-INT which is growing day-by-day right now.

Explore data terminals:

• First Steps to Getting Started in Open Source Research — bellingcat

• GitHub — cipher387/osint_stuff_tool_collection: A collection of several hundred online tools for OSINT

• The Ultimate OSINT Collection — start.me
• OSINT INCEPTION 🔍 — start.me

You may want to de-anonymize telegram users (read this channel) or, conversely, join the ranks of counter-OSINT bros. But in doing so, I urge you not to forget the key skills of information retrieval, information analytics, and information application.

I’ll highlight some basic advice for you — evaluate information according to different criteria, always know your “base settings” — it’s good for the mental health, the things you find shouldn’t ruin your foundations. Practice it, do it in your daily life, apply OSINT where it seems un-obvious like mentioned below:

• 5 Ways OSINT Can Help Your Career! — Knowmad OSINT

• The Art of Attack

Join communities, of course and chat, chat! Above I’ve only mentioned English-speaking communities but there are also local ones like osintfr.com, do some research on your own. I’m 100% sure in you! You will succeed!

• Channels about OSINT, Hacking, Security and so on
• Bonus OSINT Twitter Crypto toolset

Blockchain Investigations

| Here I will tell you exactly how I investigate crypto hacks and security incidents, and describe methodology:

• Much thanks vice.com for a mention!

• Usually in blockchain investigation I use tools first for manual analysis such as tenderly.co, ethtective.com, breadcrumbs.app, 9000.hal.xyz, dune.xyz, nansen.ai, bloxy.info, github.com/naddison36/tx2uml, github.com/ApeWorX/evm-trace.

• I seen also a rather unusual method — the use of VR, which will empower the first step: ethresear.ch/t/open-source-3d-and-vr-blockchain-visualizations/3297/2

• Second, I try to set clusters to check them through Chainalysis or amlbot.com(investigation regime only). See more similar tools there.

• As a third step, I check contracts/addresses through the impersonator, the unrekt.net or revoke.cash checker and other tools. As an example, tutela.xyzgithub.com/TutelaLabs tool can help in tacking funds behind TornadoCash

• When investigating an incident, it is also important to conduct a classic OSINT investigation, for example, if we are investigating a hack — it is necessary to check messages from chats, interview employees and eyewitnesses. Sometimes this yields data: www.1337pwn.com/how-to-investigate-cryptocurrency-crimes-using-blockchain-explorers-and-osint-tools/

• start.me/p/ek4rxK/cryptocurrency-osint

Additional tips:

OpSec:

Use dangerzone.rocks if you are working with PDFs and please follow OpSec Guide!

Google Dorks:

• ETH_address -block
• site:etherscan.io ETH_address
• site:https://docs.google.com/spreadsheets Bounty intext:”@gmail.com”
• BTC_address -block
• site:bitcointalk.org BTC_address
• site:https://docs.google.com/spreadsheets Bounty intext:”@gmail.com”
• Cryptoaml
• Bitrankverified
• Antinalysis (TOR, owner check)

References:

• Deanon ETH
• ETH Gossip
• Profiling Ethereum users
• All transaction analysis tools
• How to investigate crypto
• Investigating Blockchain
• How to become an on chain detective

Personal Crypto Security & OpSec:

A) Understand that all sorts of blockchain.info, TrustWallet, MetaMask and other wallets are just interfaces.

B) Consider cold wallets, personally I do not trust Ledger or Trezor. There is a hardcore version BitLox Ultimate, which is literally stuffed with security-related features, lets the traffic through Tor, and has several levels of encryption. Or an ascetic cold card which is a good choice for those, who love simple and clear mechanics.

C) Make a cold wallet yourself. For example, from an old smartphone. You can also make a cold wallet with Electrum and let all the traffic through Tor. Know AirGap weak sides.

D) Check what are you signing, if we speak about ETH and similar chains, never use your main cold storage for casual work, but if you have to (for example, sign a gnosis-safe multi-sig (2) (3) transaction), always check if there are no allowance approve(which allows to drain your wallet) or proxy (behind which mentioned function may be hiding). Revoke approvals here. Also do not fall into eth_sign scam (different from approve which can steal only ERC20)!

E) Never use your main cold storage and «Back Office PC» for casual work, but if you have to do it (and you know why you are doing it), use only open-source wallets: alphawallet.com, electrum.org, sparrowwallet.com, tryethernal.com

|Check out wallet rating: walletscrutiny.com

F) Accept as a fact that if the device falls into the hands of intruders, only custom capacitors can save your money (so that you can not get directly to the brains and read electric signals) and other things like self-destruction, epoxy, and so on. That is, ideally, you can not allow physical contact in any case. You can use special logic bombs or logic gates, extra passwords that trigger some kind of security action, alert events on your address via tenderly.co or using 2/3 multi-sig all the time from 3 different devices. Anyway remember, the device must not fall into anyone's hands. One could also create a honeypot wallet and have a script that listens for tx's originating from those addresses that alerts authorities, security companies and/or friends & family that you are under duress, perhaps even sending your location or last known location based off a GPS chip phone with the alerts.

G) Always double check an address you've copied to the clipboard. There is an evil software existing which is called a Clipper - it can replace an address in your clipboard to a very similar-looking hacker's address which has the same symbols in the beginning and in the end as your original address.

H) Be aware of modern attack methods, carefully read step-by-step my Guide and a Compendium, you don't need a deep understanding of how hacks work exactly but that's important to know how does it looks like to be a victim.

I) Cold wallet attacks & defense methods, reading list from CIA:

• adatainment.com/index.php

• ieeexplore.ieee.org/document/9284708

• cossacklabs.com/blog/crypto-wallets-security

• cipherblade.com/blog/list-of-breach-vectors-hackers-exploit-to-steal-cryptocurrency/

• graph.org/All-known-smart-contract-side-and-user-side-attacks-and-vulnerabilities-in-Web30--DeFi-03-31

• arxiv.org/pdf/2108.14004.pdf

• bloom.co/blog/6-ways-a-site-can-attack-your-metamask/

• phishfort.com/blog/web3-phishing-has-finally-arrived

• arxiv.org/pdf/2204.01487.pdf

• arxiv.org/pdf/2111.08893.pdf

  
  

J) Study threat modeling (2) (3) and establish all possible threats even if they seem crazy to you. Being suspicion is always a good thing. After all, fake news only works best with those who carry it to their acquaintances, becoming a kind of donor. In the same way with attacks, very often you may try to be hacked through acquaintances, pretending to be acquaintances or acquaintances themselves. Always keep this in mind. This world is cruel and dangerous.

K)  For deals use escrow and tx alarm clock and with special services like safient.io, sarcophagus.io, safehaven.io.

L) Use OpenSource password storage,reliable communication method from this sheet, use OpSec services, be aware of the latest anonymity and privacy techniques. Carefully read step-by-step my guide once again. Check out all user-side and smart contract side attacks. And NFT attacks as well.

M) Counter-OSINT is important. Read about it more here and here.

N) Go thorough my Auditor Guide.

O) Check out DeFi RoadMap:

P) Check out advanced methods here and here.

Use dangerzone.rocks if you are working with PDFs and please follow OpSec Guide!

Carefully study these resources and come back to them as you journey through the world of the hornets, don’t forget the roots. This article does not answer questions, but rather raises some rhetorical questions to encourage you to think about something.

Thank you so much for reading till the end, I will try to formulate my thoughts and write some more articles on this topic in future!

May the Force be with you!

Support is very important to me, with it I can spend less time at work and do what I love — educating DeFi & Crypto users!

• Check out my GitHub
• Track all my activities
• All my Socials
• Join my TG channel

If you want to support my work, you can send me a donation to the address:

• 0xB25C5E8fA1E53eEb9bE3421C59F6A66B786ED77A or officercia.eth — ETH, BSC, Polygon, Optimism, Zk, Fantom, etc
• 17Ydx9m7vrhnx4XjZPuGPMqrhw3sDviNTU — BTC
• 4AhpUrDtfVSWZMJcRMJkZoPwDSdVG6puYBE3ajQABQo6T533cVvx5vJRc5fX7sktJe67mXu1CcDmr7orn1CrGrqsT3ptfds — Monero XMR

Thank you! ❤️

Also published here.