Spyder Forensics Open-Source Intelligence (OSINT)

32 Hours / 4 Days

This Foundations course will introduce to the world of Open-Source Intelligence (OSINT) information research, collection, exploitation, and analysis.

Primary Learning Modules

Agenda: OSINT is becoming increasingly important across investigations of all types, especially for law enforcement and government agencies. This course will teach you how apply good attribution to protect your identity and organization by providing defensive techniques in the operating environment, including misattribution and creation and usage of sock puppets. Common legal challenges in the collection and usage of OSINT will be discussed while learning OSINT research skills, manual OSINT collection methodologies, and explore automation options within OSINT collection environment.

This course includes the following:

Intro (can you OSINT this for me?) 

What is OSINT? More importantly, what ISN’T OSINT?

Legal/Privacy/Policy considerations



Defensive OSINT/Personal Privacy

  • Sock puppets/personas/UC accounts
  • “Burner” phones
  • “Dirty” laptops
  • Off network devices
  • Drawbacks
  • Misattribution systems/Anonymous Browsing
  • VPNs
  • Practical- setting up a UC Persona Suite
  • Tor (intro)
  • Cleaning up your internet presence/ Erasing/minimizing your footprint (why; erasing not truly possible but scattering disinformation possible to provide appropriate coverage) (can I ever really be a ghost?) (hiding in plain sight)
  • Sock puppet maintenance methodology
  • iOS and android location exploitation/safety guides for travel (know your apps and privacy settings)


Search Engines

  • Google
  • Bing
  • DuckDuckGo
  • Baidu
  • Yandex


Reverse Image Searching

  • Google Images
  • Yandex


Selector/Identifier Exploitation (easily at minimum 1 hour per block, two with practicals)

  • Phone numbers
    • Manual
    • The phone or nox method (marinating!)
  • User name
  • Email address
  • IP address
    • IPv4 Vs IPv6
    • Is it a TOR node?
    • Internet of things
  • Domain Name

Metadata (Images/Videos/documents)

  • What is it
  • How to change it
    • Matching your metadata for photos to your ‘emulator’ type (IE, android 5 camera, etc)

Geolocations and Maps (geolocated social media posts, co-locating existing subpoena records with social media posts; Ad-ID possible as a quick overview)

Blogs/Forums (Quora, Reddit, 4Chan, 8Kun)

Social media exploitation (break down by platform-focus on 4 big ones and youtube-address: phone apps and desktop for each)

  • Facebook
  • Instagram
  • Twitter
  • LinkedIn
  • YouTube

Messaging platforms and Chat Apps (Encryption?)

  • Telegram
  • WhatsApp
  • FB Messenger
  • Signal
  • Snapchat (heatmaps; location)

Dating platforms and apps (location services, vetting persons)

  • Bumble
  • Hinge
  • Tinder


  • Business records (registrations, taxes)

  • Public records (property, court, aggregation sites)

  • Financial Records (OFAC, political donor records, public employee records)

“Foreign” Apps (popular outside US)

  • VK (Russia)
  • OK (Russia)
  • GETTR (Brazil, South America)

Scripting and GitHub

  • Gamera

SALE- Situational Awareness for Live Events (Tactical OSINT)

  • Live video feeds-weather bug
  • Local video cameras
  • Foreign video feeds
  • YouTube live
  • Other live platforms (IG Live, Twitter videos, FB Live, etc)
  • Rapid Photo/Video Analysis for location data

User Driven Block

  • Identify locations of students during day 1 (or based on registration data) and identify specific regional resources that they can use

Class Materials & Software

You will receive a student manual, lab exercises and other class-related material


To get the most out of this class, you should:

  • Have minimal experience of forensic examinations.

Request the Syllabus

Contact Spyder Forensics for more details of the course.

Hosting Courses

If you are interested in hosting this, or any of our courses at your facility, contact us.

Ready to get started?