OSINT: Passive or Active?
OSINT Approaches
There are two main approaches to how information (OSINF) can be collected.
Passive Collection
Passive OSINT is ConsilAD’s normal means of collecting information, this means we do not interact with targets.
No messaging the target, friend requests, likes or follows.
We collect information without ever making the target aware of it.
We remain distant from the target.
Here are some examples of what a passive approach would include.
- Searching a target’s username online to locate other accounts.
- Looking up a target’s email addresses in data breaches and leaks.
- Preserving content (using forensic tools) such as posts, images and videos from a target social media accounts.
- Looking up historical WHOIS and DNS records for a target domain.
Circumstances where that could be varied or justified include:
- Following public figures.
- Accounts which are effectively public (circumstances vary) such as an account with more than 1,000 followers or friends (the number may vary).
- Business accounts – invitations to treat, public offerings etc.
Active Collection
Not recommended for most engagements, as it involves making contact with the target or their online accounts in some way.
Active OSINT entails inherent risks, such as alerting the target and presenting the examiner account as a target for counter-OSINT.
Costs are higher as the set-up required entails more care and often the creation of unique resources.
Sometimes it may be necessary for an investigator to interact with their target in some way to identify the true identity of a perpetrator.
If this is the case, our method is carefully considered for legal and ethical compliance and all steps are recorded using forensic tools to show how the work was done.
It is more time and labour intensive, with significant set-up and careful evidence collection processes.
- Sending the target a friend request or follow request from an examiner / sock-puppet account.
- Sending the target a private message of any kind. This may include a code to identify the recipient location or IP address.
- Liking, commenting or sharing a target’s posts.
- Scanning a target web site or device.
Variations:
Mediated collection – a variation in authentication which entails the use of an existing online account, potentially connected to the target – (with consent of the account owner) for forensic collection of ESI visible to the account and similar audiences.
Custodian collection – use of client credentials using our specialised tools to forensically collect data visible from that account’s perspective. Normally this is more for evidence collection than OSINT, but may have some application for search and identification of additional OSINF or probative material.