In the dynamic field of Open Source Intelligence (OSINT), safeguarding one’s anonymity isn’t just a best practice; it’s a vital component of effective research. This chapter aims to shed light on anonymity’s critical role in OSINT analysis. As we navigate through various sections, we will emphasize the significance of protecting personal privacy while conducting comprehensive intelligence gathering. By the end of this chapter, you will be equipped with the knowledge and skills necessary to maintain anonymity, manage your digital footprint, and communicate securely during the OSINT examination.
We will cover the following main topics in this chapter:
OSINT research involves the data mining of openly available resources. However, OSINT analysts must take precautions to preserve their privacy and anonymity for many important reasons, including the following:
So, how can you be detected during an investigation? Well, let’s take a look at several methods:
As a cybersecurity researcher, I once faced a daunting challenge. I needed to uncover information about cyberattacks that seemed to originate from a specific area. To do this without alerting the attackers, I turned to a Virtual Private Network (VPN). I connected to a server in a different country, which hid my real IP address and location. It appeared as if I was browsing from that server’s location, not my own. This allowed me to safely explore various websites and forums, gathering the information I needed without exposing my identity. This experience taught me the power of a VPN in protecting one’s digital presence, especially when researching sensitive topics.
Figure 2.1 – My results on privacy.net/analyzer
Oh, and if you think incognito mode will protect you, nope. Browser fingerprinting can still track your activities across different sessions.
Figure 2.2 – Cookies are stored in different locations, but can expose quite a bit of intel
Figure 2.3 – Example of metadata included on a file
Look, tech has always been a game-changer, “Duh, Dale”! While it’s awesome for nabbing criminals, villains, and arch-enemies, it can also slice right through our personal privacy if we’re not careful.
We need a system where there’s oversight, checks, balances, and—most importantly—accountability. We can’t just let these powerful tools run wild without some ground rules. And hey, these rules need to be transparent so that you and I can have a say if something doesn’t smell right.
Technology itself doesn’t have a moral compass; it’s just a tool. We’ve got to be smart, ethical, and, above all, vigilant. In the end, it’s all about the long game. If we sacrifice our principles for some short-term security wins, we’re setting ourselves up for some serious long-term losses. We’ve got to keep our eyes on the prize: a society that’s both safe and free. And that, my friends, is a balancing act worth perfecting. OK, I think you get my point, I’ll get off my soapbox.
Your digital footprint is like your shadow on a sunny day—always there, slightly altering its form as you move through life. Yet, this shadow can often expose more than we’d care to reveal. Your personal information, such as your home address or social security number, is merely a click away from prying eyes. Now let’s get something straight; you didn’t sign up for this level of exposure. But it’s happening, and we should all be alarmed.
Before we get into performing an OSINT investigation on a target, it is important for us as security professionals to understand methods of protecting ourselves. Did you know that approximately 91% of cybercrimes start with a simple email? (https://www.yeoandyeo.com/resource/91-of-cyberattacks-begin-with-a-phishing-email.)
It’s possible for an attacker to not know your name at first. However, with more data, they can eventually build a complete picture of your digital identity. In today’s world, data is as valuable as oil. Recognizing how simple it is for someone to obtain your information is not only concerning, but it’s also a call to action.
Your personal data is being exploited by cybercriminals, stalkers, and profit-driven corporations. Although you may not be directly selling your information, your daily online activities are doing it for you. Every Google search you make, every social media post you publish, and even every product you browse on an e-commerce website contribute to a complete profile of you—one that you didn’t even create.
Figure 2.4 – Google tracks you with your phone (https://timeline.google.com/)
Digital data vulnerability isn’t merely about the now. It has far-reaching consequences, including identity theft and even personal safety risks. The impact is multidimensional. For instance, an imposter using your identity could apply for loans, make illegal transactions, or even conduct criminal activities. Clearing your name afterward is not only an enormous task, but it can be financially and emotionally draining.
Data vulnerability can have a significant impact on your personal life as well. For example, a potential employer may come across inaccurate or unfavorable information about you, which could damage your reputation before you even have a chance to demonstrate your abilities.
The stakes are high and the odds, unfortunately, are not in your favor. However, don’t resign to digital fate just yet. Let me give you some tips for being not just digitally aware but also digitally empowered. Your personal information is precious; it’s time to start treating it that way.
The browser is your friendly digital conduit that gets you from here to there on the information superhighway. It’s where you read the news, watch videos, engage in social media warfare, and what have you. However, lurking underneath that user-friendly interface is a data-collection apparatus that puts the NSA to shame. No, I’m not here to fill your head with conspiracy theories. But remember my saying: “Just because I don’t see the black helicopters doesn’t mean they aren’t there!”
Yep, there are different types of cookies to fill our browser’s tummies:
This tool, known as a cookie grabber, is designed to snatch those cookies. The danger? It can grab both types of cookies, even those with sensitive info such as your login details.
For instance, you visit a site with an embedded cookie grabber. Without a hint of suspicion, you log in, and just like that, your session cookies are stolen. Now, the attacker has a key to your digital kingdom and access to your accounts on other platforms, all from a simple, unnoticed theft.
It gets more unsettling. Let’s talk about websites that store your credentials—your usernames and passwords—in plain text right in your browser. It sounds technical, but here’s the deal: sometimes, when you log into a site, it keeps a record of your login details in a format anyone can read. If your computer is compromised or you’re on a shared computer, someone could use a basic tool, such as a hex editor, to see these credentials. It’s like leaving your house keys on a park bench and walking away.
Imagine logging into a website that doesn’t take your privacy seriously. Your credentials are stored in plain text in a cookie. You’re none the wiser, but a hacker or even a nosy roommate could extract this information with ease, breaking into your accounts as if they were their own:
Figure 2.5 – Using a cookie grabber, you can assume someone’s account or identity
Both VPNs and proxy chains serve as effective tools for maintaining online privacy. They help in obscuring your real IP address, making it difficult for third-party cookies to track your internet activities. This is especially valuable in today’s digital world, where online tracking and data privacy are major concerns. However, it’s important to choose reputable VPN and proxy services, as they have access to your internet data. Always prioritize services that are known for their strong privacy policies and commitment to user security.
If mainstream browsers are the attention-seeking reality TV stars of the digital world, DuckDuckGo is the introverted genius no one’s heard of but should have. DuckDuckGo is on a mission to simplify online privacy. The plucky company blocks hidden trackers that follow you around the web. Their software firewall shuts down attempts to collect your search history and personal information.
DuckDuckGo’s products are entirely focused on giving you control over your data. Their search engine never stores search history or user information. All searches are private by default. The browser extension and mobile app also block invasive trackers lurking on websites.
Figure 2.6 – DuckDuckGo is a great browser to hide yourself
Encryption provides another layer of protection by securing connections between you and websites. Together, these tools form an effective privacy shield to stop advertising companies and other third parties from profiling you.
DuckDuckGo makes money by showing keyword-based ads instead of creepy targeted ones, so they have no need to create personal data profiles. Their business aligns with their mission to put privacy first.
So, you’re ready to make the switch? Excellent. But you can’t just storm out of one relationship and into another without some prep. Here’s how to do it:
Now, let’s not romanticize DuckDuckGo as the only superhero here. There are other options too, each with its own set of perks and quirks.
This is one browser I recommend to everyone. It’s kind of the new kid on the block
The privacy-centric Brave browser (https://brave.com/) is an excellent starting point for obscuring your online activity. Brave blocks trackers by default, reducing the ability of third parties to monitor you.
Figure 2.7 – Brave is my personal choice for hiding my identity
For those wary of switching browsers, extensions such as Startpage offer similar protections.
Startpage displays a privacy score between one and five so you can see just how many trackers and cookies it foiled on each site. The details may shock you, but will ultimately empower you. Startpage also cloaks your identity from any trackers that do run by masking your digital fingerprint.
Figure 2.8 – The Startpage extension is available in the Chrome web store
While blocking trackers, you may need to permit certain benign cookies so sites function properly. Startpage allows you to approve cookies individually—no need for blanket access. For searches, Startpage queries Google anonymously so they can’t add to your creepy profile.
Between Brave’s robust protections and Startpage’s actionable insights, you now have potent weapons to evaporate your digital shadow. No longer will you be passive prey to cyberstalking trackers. The following are its pros and cons:
Tor (or The Onion Router) is a networked community united by a common cause—online privacy. Tor was born from rebellion. While governments spy and corporations track, Tor fights back. It’s an online resistance movement, with servers, relays, and nodes, run by volunteers worldwide. No single point can trace the full path.
Figure 2.9 – The Tor website
Tor scrubs metadata and masks IP addresses. Traffic is encrypted and re-encrypted as it hops through the privacy network. Like peeling back layers of an onion, each relay only knows the next stop, not the final destination.
This is only possible through strength in numbers. Thousands of selfless volunteers lend their computers as Tor nodes. These diverse entry, middle, and exit points form the decentralized backbone of the network. Censorship-resistant connections sealed with privacy-protecting encryption.
Tor is free software (https://torproject.org) built by a community of believers. The code is open for all to inspect and improve. Transparency keeps Tor true to its mission. There are no shady backdoors or hidden agendas baked into the tools. The following are its pros and cons:
But Dale, what browsers would you stay away from? Well, folks, that list goes a little like this (in no particular order):
Your browser is your first line of defense against cyber threats. It’s more than just a gateway to the internet; it’s the fortress that guards your data with solid power. Make the change and fortify your browser today. Your digital self will be grateful for the extra protection.
Now, before your imagination runs wild, no, we’re not talking about crafting a delightful puppet out of your favorite pair of socks. Sock puppets are fictitious online identities created for the purposes of deception, manipulation, or information gathering. Like puppets on an entertainer’s hand, they are characters that allow the puppeteer to take on a different persona and interact incognito.
While not inherently illegal, sock puppets are often frowned upon due to their capacity for abuse. They can be used to spread misinformation, artificially boost popularity, harass others anonymously, or infiltrate communities under false pretenses. However, they also have legitimate uses in fields such as investigative journalism or penetration testing.
There are several motivations for individuals and organizations to use sock puppet accounts:
An online persona created for the purposes of anonymity and information gathering can be a powerful tool when applied ethically. Sock puppets serve as digital chameleons, blending into the online environment to collect open source intelligence without revealing the investigator’s true identity. This practice is particularly valuable in scenarios where revealing one’s identity may skew the information obtained or pose a risk to the investigator’s safety.
Imagine, for example, a cybersecurity expert tasked with assessing the security of a financial institution. By ethically deploying a sock puppet, they can interact with suspect phishing sites or malicious actors to understand their tactics—without exposing the institution or themselves to undue risk. It’s a bit like an undercover cop in the digital neighborhood, watching and learning but not interfering.
Additionally, sock puppets can play a crucial role in tracking cyber threats. They can be used to monitor dark web forums or infiltrate cybercriminal networks, gathering intelligence on emerging threats, data breaches, or the sale of stolen data. This allows cybersecurity professionals to warn potential victims and fortify defenses before any actual harm is done.
The ethical use of sock puppets in OSINT is underpinned by a strict code of conduct: they are not used for deception or manipulation, but rather as a shield to protect the identity of the security professional while they gather the necessary intelligence to bolster our digital defenses. It’s a cloak of invisibility for the good guys, allowing them to observe and report without becoming targets themselves.
Here are some things to consider when creating your sock puppet:
Expand beyond just a name to create an identity, including the following:
Some will call these steps pretexting.
Note
Oh, is that a new word for you? Well, what I mean by pretexting is not just pretending to be someone else; you’re creating a whole backstory, setting, and script to make it believable.
Figure 2.10 – Yep, this isn’t anyone in real life; it’s AI-generated (https://thispersondoesnotexist.com)
Note
Remember, the key to a great performance is consistency, so maintain the same persona across different platforms
I was once interviewed by a reporter. I preferred to keep my anonymity. I chose to use Tor, which encrypts internet traffic by routing it through several servers worldwide. Along with an encrypted messaging service found on the dark web, I was able to communicate with this reporter securely. Our discussions were completely private, with no risk of being traced back to us. Don’t forget to give your puppet a phone number! Using a service such as TextFree (https://textfree.us/), you can send and receive text messages without exposing your real number. It’s kind of cool.
To prevent sock puppet accounts from being linked back to their creators, anonymous communication channels are essential. This involves creating untraceable email addresses and burner phones.
When setting up the puppet’s email account, consider the following:
Burner phones are clutch for keeping your investigation on the down low, but you have to use them carefully. Only use a burner for stuff directly tied to your case—calls, texts, 2FA codes, etc.
Figure 2.11 – Some of my personal burners I’ve used for engagements
Never ever save sensitive docs, names, dates, locations, or other case details on the device. Remember, burners can still get tapped, hacked, or compromised despite being disposable. So, take extra precautions such as using encrypted chat apps (Signal and WhatsApp), not linking the burner to personal accounts, turning off GPS, removing metadata from pics, and regularly clearing caches. Use code names when contacting sources instead of real ones.
When conducting an OSINT investigation, the responsible management of burner devices is a crucial step in the operation’s lifecycle. When an investigation concludes or if there’s a suspicion that the integrity of a burner has been compromised, it’s time to ensure that the device is retired securely and professionally. You’ll want to take one of two steps in handling these devices:
These measures aren’t the cloak-and-dagger tactics of a crime drama; they’re the bread and butter of ethical hacking and professional digital investigation. A burner phone is a shield, safeguarding both the investigator’s anonymity and the integrity of their work. Employing these devices, with their eventual disposal, is a testament to a professional’s commitment to security and confidentiality in a field where the stakes are invariably high.
Remember, every step we take is geared toward strengthening security postures and uncovering vulnerabilities before they can be exploited maliciously. Our practices are transparent to clients and within legal bounds, ensuring that our work always aligns with the noble goal of protecting assets and information in a world increasingly reliant on digital infrastructures.
By keeping communication anonymous, there will be no way to connect sock puppets to their creators. The accounts will appear entirely self-contained.
Maintaining anonymity is crucial when creating sock puppet accounts in order to preserve privacy and enable deception. Untraceable communication channels are essential to this goal.
Now that your puppet is ready to grace the cyber stage, it’s important to follow some ethical guidelines:
When diving into the cyber investigative scene, piecing together your online alter ego is part art, part science, and all about walking that ethical tightrope, especially when it comes to gender dynamics in the digital world. Yes, the internet’s chock-full of gender stereotypes, but when we’re crafting these personas, we’ve got to handle them with care.
Imagine you choose to use a female character for your online disguise. It’s true that being a woman might help in some situations because of how people have always interacted socially. But remember, we’re not here to trick people just for the sake of it. We’re smart about how we do things, not sneaky. The real point is that you can use smart moves such as the honeypot method, where you might act a bit flirty and vulnerable to get your target’s attention. But doing this means you have to be really careful about staying ethical. It’s about gathering information in a clever way, not misleading or using people.
When it comes to making your sock puppet believable, the devil’s in the details. Skip the stereotype rehash and give your digital decoy some real personality. A dash of unique flair makes your puppet more than just a bunch of pixels—it becomes a believable character that can gain trust where it’s needed most.
Note
Here’s a pro tip: keep your sock puppet on a completely different leash from your real online life. Think virtual machines, sandboxed browsers—the works. Mixing the two is like wearing socks with sandals; it just doesn’t look right. This is how you keep your cover story tight and your real identity under wraps.
These sock puppet shenanigans have their place on the right side of the cyber tracks. They’re dynamite for infiltrating shady online groups to sniff out security risks or pretending to be a greenhorn in your own company to see who bites the bait in a phishing test. It’s all about putting those cybersecurity hats on and using our powers for the good guys.
So, let’s keep it smart, keep it ethical, and remember—we’re here to stop the baddies, not join them.
Using an anonymous email address is critical for OSINT investigators who want to obscure their identity and maintain privacy when interacting online. Email addresses often serve as a gateway to a person’s real identity, providing clues and links regarding who someone actually is. Without anonymity, the OSINT researcher risks their personal information being exposed if their email is linked to forums, services, or social media used in an investigation. This could make the researcher vulnerable to hacking, doxing, retaliation, or unwanted association with certain groups or causes.
Creating a completely dissociated email address tied to no identifying details is therefore vital for secure, private OSINT work. The anonymous email should never be used for anything that could reveal personal details. It should not be the address listed on social media, professional sites such as LinkedIn, shopping accounts, etc. Ideally, it should be generated using a service such as Proton Mail (https://protonmail.com/).
Figure 2.12 – Proton Mail can help to hide your real identity
Alternatively, a Tuta email (https://tuta.com/) does not require any valid personal info to create.
Figure 2.13 – Tutanota anonymous email
Using a dedicated anonymous email address allows the OSINT investigator to register for forums, make inquiries, and communicate without concern that their real identity will be uncovered. It is a critical line of defense to preserve anonymity.
Conducting OSINT investigations comes with inherent cybersecurity risks. With online privacy and anonymity as core principles of ethical OSINT, practitioners must continuously take steps to stay ahead of emerging technological threats. This requires vigilance in keeping up with the latest security issues, learning from past incidents, and improving personal practices.
Monitoring cybersecurity and privacy news is essential for understanding the ever-evolving risk landscape. Subscribe to threat advisory services such as the following to receive timely notifications on vulnerabilities and new attack methods:
One of my personal favorites is in fact the US-CERT bulletins. Not only do they not favor any vendor, but their bulletins are really thorough.
Figure 2.14 – US-CERT bulletins
If you want to be like the cool kids in cyber security, you need to also be reading security blogs and news sites such as these:
These resources will help you to stay current on relevant developments.
You should also follow leading information security voices on social media and attend conferences such as DEF CON, Blackhat, or Bsides when possible.
Studying major past breaches through post-mortem analyses reveals important lessons. The 2016 LinkedIn breach (https://www.forbes.com/sites/daveywinder/2024/01/23/massive-26-billion-record-leak-dropbox-linkedin-twitterx-all-named/?sh=2ab1fc93ab58) exposed how hacked third-party data enabled new attacks through information cascades. High-profile doxing and harassment campaigns such as Gamergate (https://www.nytimes.com/interactive/2019/08/15/opinion/what-is-gamergate.html) spotlight the real-world damages when OSINT is weaponized. Examining practices employed by rogue investigators also explains risks such as social engineering that ethical OSINT researchers must avoid.
Strong anonymity practices are the OSINT investigator’s first line of defense. Routinely search your name online to inventory digital footprints and close any leaks of personal details. Adopt tools such as Tor, virtual phone numbers, and anonymous emails to insulate your real identity. Compartmentalize identifiable information and maintain separate devices and accounts for OSINT activities. Make continuing education on privacy a priority—new identifying threats are always arising.
Ethical OSINT investigators can keep their personal security intact and research safely with vigilance across these areas. The threats are always evolving, so continued effort is required to stay ahead of the game. Up next, we’ll look at the methods and techniques that one can use during an OSINT investigation.
Where there is an eBook version of a title available, you can buy it from the book details for that title. Add either the standalone eBook or the eBook and print book bundle to your shopping cart. Your eBook will show in your cart as a product on its own. After completing checkout and payment in the normal way, you will receive your receipt on the screen containing a link to a personalised PDF download file. This link will remain active for 30 days. You can download backup copies of the file by logging in to your account at any time.
If you already have Adobe reader installed, then clicking on the link will download and open the PDF file directly. If you don't, then save the PDF file on your machine and download the Reader to view it.
Please Note: Packt eBooks are non-returnable and non-refundable.
Packt eBook and Licensing When you buy an eBook from Packt Publishing, completing your purchase means you accept the terms of our licence agreement. Please read the full text of the agreement. In it we have tried to balance the need for the ebook to be usable for you the reader with our needs to protect the rights of us as Publishers and of our authors. In summary, the agreement says:
If you want to purchase a video course, eBook or Bundle (Print+eBook) please follow below steps:
Our eBooks are currently available in a variety of formats such as PDF and ePubs. In the future, this may well change with trends and development in technology, but please note that our PDFs are not Adobe eBook Reader format, which has greater restrictions on security.
You will need to use Adobe Reader v9 or later in order to read Packt's PDF eBooks.
Packt eBooks are a complete electronic version of the print edition, available in PDF and ePub formats. Every piece of content down to the page numbering is the same. Because we save the costs of printing and shipping the book to you, we are able to offer eBooks at a lower cost than print editions.
When you have purchased an eBook, simply login to your account and click on the link in Your Download Area. We recommend you saving the file to your hard drive before opening it.
For optimal viewing of our eBooks, we recommend you download and install the free Adobe Reader version 9.