An OSINT investigation is only as good as the discipline behind it. Plenty of analysts can dump a username into a dozen tools and collect screenshots, but very few produce findings that survive a supervisor's review, a legal hold, or a courtroom. This OSINT guide walks through an eight-step security investigation workflow we use at Revealer.US to turn a thin lead into an evidence package that holds up. The focus is practical: what you actually do at each stage, what you record, and where junior analysts most often go off the rails. We will follow a fictitious subject through the full process so the mechanics are concrete rather than abstract.
Step 1: Scope the Investigation Before You Touch a Tool
Every OSINT investigation begins with a written scope. Without one, you will drift into adjacent targets, collect data you are not allowed to keep, and waste hours on questions nobody asked. A good scope answers four things in plain language: who authorized the work, what question you are answering, what identifiers you are allowed to pivot on, and what is explicitly out of bounds.
The scoping checklist
- Authorizing party and legal basis (internal security, fraud team, counsel, law enforcement referral)
- Primary question in one sentence, for example, "Is the person behind the handle @northwind_trader the same individual who filed invoice 4471?"
- Seed identifiers: emails, usernames, phone numbers, domains, wallet addresses
- Exclusions: minors, uninvolved family members, attorney-client communications, foreign jurisdictions requiring special handling
- Retention window and storage location for collected artifacts
Write this down and timestamp it. If the investigation later expands, you amend the scope rather than quietly widening it.
Step 2: Establish Clean Collection Infrastructure
Before any open source intelligence work begins, prepare the environment. Investigators who collect from their personal browsers poison their findings with cookies, autofill data, and recommendation bubbles that bias results.
- A dedicated virtual machine or sandboxed browser profile with no logged-in accounts
- A residential or commercial proxy when regional content is involved, documented in your case notes
- A case folder with subdirectories for raw captures, processed artifacts, and the running timeline
- A hash log so every downloaded file gets a SHA-256 before it is touched
This infrastructure is the foundation of your evidence chain. If a defense attorney later asks whether a screenshot could have been tampered with, your answer is the hash, the timestamp, and the tool that produced it.
Step 3: Identifier Pivot on the Seed Data
The heart of any OSINT investigation is the identifier pivot. You take a single seed, usually an email, username, or phone number, and systematically expand outward. Our fictitious case gives us one seed: the email address [email protected], reportedly used to register a suspicious vendor account.
Email pivots
- Check the email against breach data to find historical exposures and associated passwords (hashed when possible)
- Run Gravatar and Have I Been Pwned style lookups for linked profile fragments
- Extract the local part, here daria.hensley.42, and treat it as a username candidate
- Query email-to-profile services that surface Twitter, LinkedIn, and Gravatar accounts tied to the same address
Username search across platforms
The local part becomes a username to hunt across platforms. Tools like Sherlock, Maigret, and WhatsMyName enumerate hundreds of sites, but treat their output as leads, not confirmations. A hit on a platform only means a profile with that handle exists, not that it belongs to your subject. In our case, the handle daria.hensley.42 appears on GitHub, Reddit, and a defunct forum. Two of three have matching bio text referencing Boise, Idaho, which becomes our first corroborating data point.
Phone number pivots
If a phone number is in scope, reverse lookups through carrier databases, messenger presence checks on Signal, Telegram, and WhatsApp, and breach data correlation fill in carrier, line type, and historical registration information.
Step 4: Correlate with Breach Data
Breach data is where OSINT investigations earn their keep. A handle on a forum tells you someone exists. A matching email inside a 2019 infostealer log tied to a corporate VPN endpoint tells you where that person worked and what they were doing. Revealer.US indexes billions of records from stealer logs, combo lists, and surface breaches, which lets an analyst pivot from a seed email to historical IP addresses, user agents, and co-occurring credentials in seconds.
In our worked example, [email protected] appears in two stealer logs from 2022. Both logs also contain session cookies for a small accounting SaaS under a different corporate email, [email protected]. That single correlation links the ProtonMail alias to a real employer and a legal name candidate. You would spend days trying to reach the same conclusion with public sources alone.
Step 5: Platform Enumeration and Social Media Investigation
With a stronger identity hypothesis, the social media investigation phase begins. The goal here is not to collect every photo the subject has ever posted. It is to answer specific questions from the scope.
- Which platforms does the subject actively use, and under which personas?
- What is the linkage pattern between personas, shared profile photos, mutual followers, reused bios, identical join dates?
- What public posts contradict or corroborate other findings?
- Which accounts are dormant, which are active, and which look curated for a specific audience?
Use reverse image search on profile pictures through Yandex, Google Lens, and PimEyes where licensing permits. Reverse image hits often break a case wide open because people reuse photos across aliases they believe are siloed.
Step 6: Relationship Mapping and Identity Resolution
Once you have a cluster of accounts and artifacts, map the relationships. A whiteboard works, but dedicated graph tools like Maltego, Obsidian Canvas, or a simple Neo4j instance scale better. Nodes are entities, emails, handles, phone numbers, domains, people, and edges are the evidence that connects them.
Good identity resolution is ruthless about confidence levels. Label every edge:
- Confirmed, multiple independent sources agree
- Probable, one strong source plus circumstantial support
- Possible, single weak source, requires further work
- Disproven, keep the node so you do not re-investigate it later
In our example, the graph now has the ProtonMail seed, the corporate email, a GitHub account with commits authored as Daria Hensley, a LinkedIn profile in the same name at Northwind Accounting, and a Reddit account whose post history mentions the same employer. Four confirmed edges, one probable, and the working hypothesis is strong.
Step 7: Corroborate Everything Before You Commit
This is the step that separates professional OSINT from LARP. Before any finding goes into the report, corroborate it from at least one independent source. Independent means a source that could not have been derived from the first. A LinkedIn profile and a company about page are not independent if the about page was scraped from LinkedIn. A breach record from 2019 and a 2023 voter roll entry are independent.
Legal and ethical guardrails live here too. Do not log in to accounts you do not own. Do not scrape sites whose terms you have not reviewed. Do not cross jurisdictions your authorization does not cover. Document refusals as carefully as you document findings, a clean record of what you chose not to collect is often what keeps a case intact under scrutiny. For sensitive matters, align your handling with NIST SP 800-61 incident response practices so the chain from collection to handoff is defensible.
Step 8: Document, Preserve, and Report
The final phase is where most investigations quietly fail. Analysts have the answer but no one else can reproduce it. Preserve your work the same way you would a forensic image.
- A chronological timeline of every action, each line timestamped
- Raw artifacts in their original form, with hashes
- Processed exhibits labeled Exhibit A, B, C and cross-referenced in the report
- A short executive summary, a detailed findings section, and an appendix for methodology
The executive summary should answer the scoping question in two or three sentences. The findings section presents each claim with its supporting exhibits and confidence level. The methodology appendix lets a reviewer retrace your steps. If your organization needs a head start on templates and retention policy, the Revealer.US documentation hub covers evidence chain patterns we use in production.
Conclusion
A disciplined OSINT investigation is a pipeline, not a scavenger hunt. Scope tightly, collect cleanly, pivot systematically, correlate with breach data, map relationships with honest confidence levels, corroborate before you commit, and document as if the case will be audited, because sooner or later one of them will be. The difference between an analyst who produces leads and one who produces evidence is almost entirely in the habits above.
Want to accelerate every step of your OSINT investigation? Start a free trial of Revealer.US and pivot across billions of breach, stealer, and identity records from a single workspace.