WEBVTT 00:00:00.000 --> 00:00:06.630 align:middle line:90% 00:00:06.630 --> 00:00:10.730 align:middle line:84% In this video, we're going to talk about what is OSINT. 00:00:10.730 --> 00:00:13.590 align:middle line:90% So what is OSINT? 00:00:13.590 --> 00:00:16.490 align:middle line:84% Wikipedia has a pretty good entry. 00:00:16.490 --> 00:00:19.160 align:middle line:84% OSINT, Open- Source Intelligence is 00:00:19.160 --> 00:00:21.890 align:middle line:84% data collected from publicly available sources 00:00:21.890 --> 00:00:26.290 align:middle line:84% to be used in an intelligence context. 00:00:26.290 --> 00:00:28.870 align:middle line:84% So what does that exactly mean for us? 00:00:28.870 --> 00:00:32.830 align:middle line:90% 00:00:32.830 --> 00:00:35.920 align:middle line:84% So OSINT has a lot of different uses. 00:00:35.920 --> 00:00:38.020 align:middle line:84% For malicious hackers, they generally 00:00:38.020 --> 00:00:39.550 align:middle line:90% use it for reconnaissance. 00:00:39.550 --> 00:00:42.730 align:middle line:84% For IT professionals, IT professionals 00:00:42.730 --> 00:00:45.760 align:middle line:84% can typically use it to track bad actors. 00:00:45.760 --> 00:00:47.710 align:middle line:84% Law enforcement will typically use it 00:00:47.710 --> 00:00:50.530 align:middle line:90% for tracking people down. 00:00:50.530 --> 00:00:54.060 align:middle line:84% Also OSINT investigators will use it 00:00:54.060 --> 00:00:57.790 align:middle line:84% for tracking down, say, missing people, for example. 00:00:57.790 --> 00:00:59.740 align:middle line:84% It can also be used for background checks 00:00:59.740 --> 00:01:02.020 align:middle line:90% and a lot more. 00:01:02.020 --> 00:01:06.248 align:middle line:84% OSINT is a very powerful tool that's widely used. 00:01:06.248 --> 00:01:07.790 align:middle line:84% It's also one of my favourite topics. 00:01:07.790 --> 00:01:09.300 align:middle line:90% So let's get more into it. 00:01:09.300 --> 00:01:12.450 align:middle line:90% 00:01:12.450 --> 00:01:16.890 align:middle line:84% So OSINT, again, it can be used for a lot of different things, 00:01:16.890 --> 00:01:20.680 align:middle line:84% especially for tracking people down, uncovering information. 00:01:20.680 --> 00:01:26.820 align:middle line:84% So in a security role for OSINT, an example 00:01:26.820 --> 00:01:32.460 align:middle line:84% would be a while back I was asked to investigate someone. 00:01:32.460 --> 00:01:33.870 align:middle line:90% I was given a name. 00:01:33.870 --> 00:01:38.070 align:middle line:84% I was given that they were doing some suspicious activities, 00:01:38.070 --> 00:01:40.200 align:middle line:90% so I started off. 00:01:40.200 --> 00:01:41.820 align:middle line:84% So starting off with the name, I was 00:01:41.820 --> 00:01:47.340 align:middle line:84% able to pull up private email addresses tied to that name. 00:01:47.340 --> 00:01:49.560 align:middle line:84% From those private email addresses, 00:01:49.560 --> 00:01:52.110 align:middle line:90% it led me to a Pastebin dump. 00:01:52.110 --> 00:01:57.870 align:middle line:84% That Pastebin dump had a number of questionable activities 00:01:57.870 --> 00:01:58.530 align:middle line:90% tied to it. 00:01:58.530 --> 00:02:00.750 align:middle line:84% It also had additional names on there. 00:02:00.750 --> 00:02:03.480 align:middle line:84% Those additional names led to different online 00:02:03.480 --> 00:02:05.880 align:middle line:90% handles for these individuals. 00:02:05.880 --> 00:02:11.050 align:middle line:84% And those online handles led to more additional information. 00:02:11.050 --> 00:02:14.590 align:middle line:84% So you can kind of see how OSINT works, 00:02:14.590 --> 00:02:18.183 align:middle line:84% starting off with one thing - in this case it a name. 00:02:18.183 --> 00:02:19.600 align:middle line:84% A lot of times, it will be a name, 00:02:19.600 --> 00:02:21.940 align:middle line:90% an IP address, email address. 00:02:21.940 --> 00:02:24.010 align:middle line:90% It could even be a photo. 00:02:24.010 --> 00:02:27.460 align:middle line:84% That one piece of evidence can lead to something else. 00:02:27.460 --> 00:02:31.130 align:middle line:84% And it kind of splinters off from there. 00:02:31.130 --> 00:02:34.720 align:middle line:84% So it's essentially like putting a puzzle piece together. 00:02:34.720 --> 00:02:36.910 align:middle line:84% You get one piece, and that one piece 00:02:36.910 --> 00:02:38.860 align:middle line:84% connects to these other pieces, depending 00:02:38.860 --> 00:02:45.270 align:middle line:84% on what you're investigating and what your end goal is. 00:02:45.270 --> 00:02:48.360 align:middle line:84% So there's a lot of different tools for OSINT out there. 00:02:48.360 --> 00:02:49.830 align:middle line:90% Some are online tools. 00:02:49.830 --> 00:02:52.120 align:middle line:90% Some are operating system. 00:02:52.120 --> 00:02:55.670 align:middle line:84% Some are tools that you instal on your computer. 00:02:55.670 --> 00:02:58.950 align:middle line:84% OSINT tools tend to be either, again, 00:02:58.950 --> 00:03:03.480 align:middle line:84% web based or tends to be designed for Linux. 00:03:03.480 --> 00:03:07.230 align:middle line:84% A lot of tools are also going to be written in Python. 00:03:07.230 --> 00:03:10.610 align:middle line:84% You can do OSINT on, say, a Windows machine. 00:03:10.610 --> 00:03:13.170 align:middle line:84% But again, if you're installing tools, a lot of the tools 00:03:13.170 --> 00:03:15.120 align:middle line:84% are going to be for Linux based, just 00:03:15.120 --> 00:03:18.390 align:middle line:90% want to throw that out there. 00:03:18.390 --> 00:03:20.520 align:middle line:84% So again, there's a lot of tools. 00:03:20.520 --> 00:03:22.940 align:middle line:90% There's Tor browser is useful. 00:03:22.940 --> 00:03:26.450 align:middle line:84% Google Maps, Maltego, Spiderfoot, Google Dork, 00:03:26.450 --> 00:03:29.090 align:middle line:84% which is essentially advanced Google searches 00:03:29.090 --> 00:03:32.270 align:middle line:84% that you could do through the regular Google engine, Bitcoin 00:03:32.270 --> 00:03:35.630 align:middle line:84% Who's Who and the Trace Lab VN that we're going 00:03:35.630 --> 00:03:39.482 align:middle line:90% to be taking a look at later. 00:03:39.482 --> 00:03:41.190 align:middle line:84% So before you start, there's a few things 00:03:41.190 --> 00:03:43.970 align:middle line:84% you should do for your OSINT investigation. 00:03:43.970 --> 00:03:47.210 align:middle line:84% So preparation wise, you want to create a sock puppet account. 00:03:47.210 --> 00:03:49.400 align:middle line:84% And what a sock puppet account is, 00:03:49.400 --> 00:03:52.100 align:middle line:84% it's a account that doesn't tie back to you. 00:03:52.100 --> 00:03:53.450 align:middle line:90% It's not using your real name. 00:03:53.450 --> 00:03:54.860 align:middle line:84% It's not using real phone number. 00:03:54.860 --> 00:03:58.230 align:middle line:84% It's not using your real address or anything like that. 00:03:58.230 --> 00:03:59.870 align:middle line:84% The reason for this is when you're 00:03:59.870 --> 00:04:01.520 align:middle line:84% doing OSINT investigation, you may 00:04:01.520 --> 00:04:04.970 align:middle line:84% be investigating individuals or activities that you 00:04:04.970 --> 00:04:06.950 align:middle line:90% don't want to come back to you. 00:04:06.950 --> 00:04:09.530 align:middle line:84% Sometimes these people don't want to be investigated. 00:04:09.530 --> 00:04:11.670 align:middle line:84% Sometimes they don't want to be found. 00:04:11.670 --> 00:04:15.950 align:middle line:84% And overall, it's just safer using a sock puppet account, 00:04:15.950 --> 00:04:17.570 align:middle line:90% again, a fake account. 00:04:17.570 --> 00:04:20.480 align:middle line:84% You also want to have a virtual machine, 00:04:20.480 --> 00:04:22.130 align:middle line:90% and that's just good practise. 00:04:22.130 --> 00:04:24.350 align:middle line:84% So virtual machine means that you 00:04:24.350 --> 00:04:26.420 align:middle line:84% have a virtual computer that you can run 00:04:26.420 --> 00:04:27.770 align:middle line:90% your OSINT investigation from. 00:04:27.770 --> 00:04:30.170 align:middle line:84% And the reason for this is if you're 00:04:30.170 --> 00:04:33.020 align:middle line:84% investigating some areas that are kind of shady, 00:04:33.020 --> 00:04:35.330 align:middle line:84% you don't want to get a virus on your main computer. 00:04:35.330 --> 00:04:37.710 align:middle line:84% Also, it helps with the overall integrity. 00:04:37.710 --> 00:04:39.080 align:middle line:90% You have a clean machine. 00:04:39.080 --> 00:04:40.700 align:middle line:84% Nothing was ever done on this machine 00:04:40.700 --> 00:04:46.360 align:middle line:84% except for investigation, which is also useful. 00:04:46.360 --> 00:04:48.580 align:middle line:84% Now when you're investigating your target, 00:04:48.580 --> 00:04:52.030 align:middle line:84% you want to know who or what you're investigating, what's 00:04:52.030 --> 00:04:57.280 align:middle line:84% the scope of work, what's the timeline, what is your employer 00:04:57.280 --> 00:04:59.780 align:middle line:84% or client want from this investigation. 00:04:59.780 --> 00:05:02.515 align:middle line:84% These are important things to find out ahead of time. 00:05:02.515 --> 00:05:05.140 align:middle line:84% Agreement wise, you want to have some sort of written agreement 00:05:05.140 --> 00:05:07.240 align:middle line:84% with a scope of work, so you can help 00:05:07.240 --> 00:05:10.330 align:middle line:84% avoid any confusion or any other issues. 00:05:10.330 --> 00:05:14.510 align:middle line:84% And keeping safe, be careful with your investigations. 00:05:14.510 --> 00:05:16.400 align:middle line:90% It is important. 00:05:16.400 --> 00:05:19.900 align:middle line:84% It's also important for success, again, tracing back to you 00:05:19.900 --> 00:05:22.170 align:middle line:84% and you don't want to spook your target in any way. 00:05:22.170 --> 00:05:25.540 align:middle line:84% So a lot of OSINT is going to be very passive, 00:05:25.540 --> 00:05:31.030 align:middle line:84% meaning that a lot of times you don't actually 00:05:31.030 --> 00:05:35.130 align:middle line:84% try to call these individuals in person 00:05:35.130 --> 00:05:38.160 align:middle line:84% or try to contact family members in that. 00:05:38.160 --> 00:05:42.410 align:middle line:84% A lot of OSINT is passive, not to say that you can't do that. 00:05:42.410 --> 00:05:47.670 align:middle line:84% But a lot of the stuff I dealt with is in a passive manner. 00:05:47.670 --> 00:05:50.930 align:middle line:90% 00:05:50.930 --> 00:05:55.700 align:middle line:84% So wrapping up, OSINT stands for Open-Source Intelligence. 00:05:55.700 --> 00:05:58.520 align:middle line:84% OSINT is data collected from publicly available sources 00:05:58.520 --> 00:06:02.390 align:middle line:84% to be used as in intelligent context. 00:06:02.390 --> 00:06:04.730 align:middle line:84% Malicious hackers, security teams, law enforcement 00:06:04.730 --> 00:06:07.190 align:middle line:84% are some people who would use OSINT. 00:06:07.190 --> 00:06:10.160 align:middle line:84% OSINT can be used for locating missing people, background 00:06:10.160 --> 00:06:14.550 align:middle line:84% checks, tracking malicious hackers, and much more. 00:06:14.550 --> 00:06:16.550 align:middle line:84% There are a number of tools available for OSINT, 00:06:16.550 --> 00:06:20.030 align:middle line:84% including online browser tools and more specialised tools that 00:06:20.030 --> 00:06:21.680 align:middle line:90% need to be installed. 00:06:21.680 --> 00:06:28.650 align:middle line:84% Sock puppet accounts should be used in OSINT investigations. 00:06:28.650 --> 00:06:34.990 align:middle line:84% A clean OSINT VM should also be used for any investigation. 00:06:34.990 --> 00:06:36.340 align:middle line:90% Now this was about OSINT. 00:06:36.340 --> 00:06:38.840 align:middle line:84% In the next video, we're going to be talking about the Trace 00:06:38.840 --> 00:06:40.600 align:middle line:90% Labs OSINT virtual machine. 00:06:40.600 --> 00:06:41.600 align:middle line:90% Thank you for watching. 00:06:41.600 --> 00:06:43.650 align:middle line:90% I'll see you in the next video. 00:06:43.650 --> 00:06:46.000 align:middle line:90%