OSINT research involves the data mining of openly available resources. However, OSINT analysts must take precautions to preserve their privacy and anonymity for many important reasons, including the following:

• Avoid tipping off subjects: If individuals or organizations become aware they are being investigated through OSINT, they may act to prevent data collection. They could delete social media posts, restrict profile visibility, take websites offline, or even destroy evidence. Maintaining anonymity is crucial to avoiding alerting subjects to monitoring.
• Prevent compromising operations: Similarly, if targets realize they are being watched, they may change their activities or communications to avoid further detection. This could severely disrupt ongoing OSINT operations before investigators have gathered enough actionable intelligence. Anonymity helps avoid operations being exposed.
• Stop illicit activities from continuing: If investigations are compromised early on, law enforcement and other agencies may be unable to identify criminal conspiracies or gather the evidence needed to prosecute illegal activities. Subjects could continue operations under the radar. Anonymity is key to thoroughly monitoring subjects without detection.
• Avoid legal and ethical issues: In some states/countries, tipping off subjects about an investigation can lead to criminal charges. Anonymity helps avoid inadvertent ethical and legal violations.
• Protect analysts and sources: Threat actors such as hackers, terrorists, and criminal networks could retaliate against analysts and sources who they discover are investigating them. Anonymity and privacy safeguards help keep us analysts and our sources safe.
• Prevent data breaches: Sensitive information must be protected from falling into the wrong hands, and this can only be done with rigorous data handling and access controls. In order to avoid catastrophic data leaks, secure privacy practices must be in place.

Ways anonymity can be breached in OSINT

So, how can you be detected during an investigation? Well, let’s take a look at several methods:

• IP address exposure: One of the easiest ways you can hide yourself is via your IP address. If you’re not using a VPN or Tor, your real IP address will be logged by the websites you visit.

  As a cybersecurity researcher, I once faced a daunting challenge. I needed to uncover information about cyberattacks that seemed to originate from a specific area. To do this without alerting the attackers, I turned to a Virtual Private Network (VPN). I connected to a server in a different country, which hid my real IP address and location. It appeared as if I was browsing from that server’s location, not my own. This allowed me to safely explore various websites and forums, gathering the information I needed without exposing my identity. This experience taught me the power of a VPN in protecting one’s digital presence, especially when researching sensitive topics.

• Browser fingerprinting: Web browsers collect a surprising amount of data, from screen resolution to installed plugins, which can be used to create a unique fingerprint. Don’t believe me? Take a break and head over to privacy.net/analyzer. See, I told you!

Figure 2.1 – My results on privacy.net/analyzer

Oh, and if you think incognito mode will protect you, nope. Browser fingerprinting can still track your activities across different sessions.

• Overconfidence in technology: Relying solely on tools such as VPNs and Tor without fully understanding their limitations can create a false sense of security. For example, some VPN services actually log user activity, IPs, timestamps, etc., despite marketing claims of being no-logs services. Tor traffic can be de-anonymized in some cases by powerful adversaries such as government agencies. No single technology is a silver bullet when it comes to anonymity. You need to layer different protections and be cognizant of the weak points in each tool or approach.
• Cookie tracking: Cookies are small text files that websites place on your device to track and remember your online activity. While cookies can be convenient for things such as remembering login info or shopping cart contents, they also allow companies to build detailed profiles about your browsing habits, interests, behaviors, and much more across multiple sites and sessions. Regularly clearing your cookies can help limit tracking, but companies have developed more advanced techniques such as browser fingerprinting and canvas fingerprinting that don’t rely on cookies to track you. Using privacy-focused browsers such as Tor and covering your online tracks by avoiding behavior patterns are important ways to avoid surveillance.

Figure 2.2 – Cookies are stored in different locations, but can expose quite a bit of intel

• Metadata leaks: Files such as documents, photos, audio, and video recordings all contain metadata—information generated by your device about the file itself. This can include geotags, time stamps, device serial numbers, editing history, and more. Similarly, communications such as emails have headers that reveal your IP address, client info, etc. If this metadata leaks, it can reveal details about your identity and compromise your anonymity. You need to be very careful about stripping metadata from files before publishing them, using metadata removal tools. Avoiding communication methods that expose metadata is also important.

Figure 2.3 – Example of metadata included on a file

• Insecure public Wi-Fi: Public Wi-Fi networks at coffee shops, airports, hotels, etc. often have no password or security measures at all. This allows anyone nearby to easily intercept the unencrypted traffic passing through the network and eavesdrop on your Internet activity. Never access any sensitive accounts such as emails, banking apps, or confidential data while on insecure public Wi-Fi. Always use a trusted VPN on public networks to encrypt your traffic. Better yet, avoid transmitting sensitive data until you are on a known secure network again.
• Social engineering: Despite advancing technical protections, human nature remains vulnerable to old-fashioned social engineering attacks such as phishing. Avoiding password reuse across accounts, enabling multi-factor authentication wherever possible, establishing PGP-encrypted contacts, and training yourself to cautiously identify potential scams before clicking links or attachments is critical. No anonymity toolkit can protect against you being tricked into giving up personal information.
• Personal accounts for OSINT: One of the worst OPSEC mistakes you can make is to conduct OSINT investigations and cybersecurity research from accounts that can be traced back to your real identity. Always use anonymous, disposable accounts and masked IP addresses when gathering intelligence via search engines, social networks, forums, and other online venues. Maintain strict separation between your personal online presence and investigative online presence.
• Accidental slip-ups: A single accidental leak of personal information in a chat room, forum post, or conversation app can be enough to shatter your anonymity. Be extremely cautious when sharing any details about yourself online that could help identify you. Also, be consistent about separating your anonymous personas—reusing usernames, email patterns, passwords, etc. across accounts makes it easier to correlate your activity. A momentary lapse of vigilance is all it takes.
• Outdated knowledge: New hacking techniques, exploits, and vulnerabilities are emerging all the time. If you don’t continuously educate yourself about the latest privacy and security threats, your information could be snatched by new methods you’re unaware of and haven’t protected yourself against yet. You can never assume your current knowledge is sufficient—learning needs to be an ongoing process to keep up with an evolving threat landscape. Relying too much on technology such as VPNs or Tor without understanding their limitations can give you a false sense of security. For instance, some VPN services log user activity, and Tor is not immune to all forms of tracking.

Striking the balance – Privacy concerns in OSINT investigations

Look, tech has always been a game-changer, “Duh, Dale”! While it’s awesome for nabbing criminals, villains, and arch-enemies, it can also slice right through our personal privacy if we’re not careful.

We need a system where there’s oversight, checks, balances, and—most importantly—accountability. We can’t just let these powerful tools run wild without some ground rules. And hey, these rules need to be transparent so that you and I can have a say if something doesn’t smell right.

Technology itself doesn’t have a moral compass; it’s just a tool. We’ve got to be smart, ethical, and, above all, vigilant. In the end, it’s all about the long game. If we sacrifice our principles for some short-term security wins, we’re setting ourselves up for some serious long-term losses. We’ve got to keep our eyes on the prize: a society that’s both safe and free. And that, my friends, is a balancing act worth perfecting. OK, I think you get my point, I’ll get off my soapbox.

Your digital footprint is like your shadow on a sunny day—always there, slightly altering its form as you move through life. Yet, this shadow can often expose more than we’d care to reveal. Your personal information, such as your home address or social security number, is merely a click away from prying eyes. Now let’s get something straight; you didn’t sign up for this level of exposure. But it’s happening, and we should all be alarmed.

Managing and limiting YOUR online presence

Before we get into performing an OSINT investigation on a target, it is important for us as security professionals to understand methods of protecting ourselves. Did you know that approximately 91% of cybercrimes start with a simple email? (https://www.yeoandyeo.com/resource/91-of-cyberattacks-begin-with-a-phishing-email.)

It’s possible for an attacker to not know your name at first. However, with more data, they can eventually build a complete picture of your digital identity. In today’s world, data is as valuable as oil. Recognizing how simple it is for someone to obtain your information is not only concerning, but it’s also a call to action.

Your personal data is being exploited by cybercriminals, stalkers, and profit-driven corporations. Although you may not be directly selling your information, your daily online activities are doing it for you. Every Google search you make, every social media post you publish, and even every product you browse on an e-commerce website contribute to a complete profile of you—one that you didn’t even create.

Figure 2.4 – Google tracks you with your phone (https://timeline.google.com/)

Why protecting personal data is more important than ever

Digital data vulnerability isn’t merely about the now. It has far-reaching consequences, including identity theft and even personal safety risks. The impact is multidimensional. For instance, an imposter using your identity could apply for loans, make illegal transactions, or even conduct criminal activities. Clearing your name afterward is not only an enormous task, but it can be financially and emotionally draining.

Data vulnerability can have a significant impact on your personal life as well. For example, a potential employer may come across inaccurate or unfavorable information about you, which could damage your reputation before you even have a chance to demonstrate your abilities.

The stakes are high and the odds, unfortunately, are not in your favor. However, don’t resign to digital fate just yet. Let me give you some tips for being not just digitally aware but also digitally empowered. Your personal information is precious; it’s time to start treating it that way.

Internet browsers – The frontline of data vulnerability

The browser is your friendly digital conduit that gets you from here to there on the information superhighway. It’s where you read the news, watch videos, engage in social media warfare, and what have you. However, lurking underneath that user-friendly interface is a data-collection apparatus that puts the NSA to shame. No, I’m not here to fill your head with conspiracy theories. But remember my saying: “Just because I don’t see the black helicopters doesn’t mean they aren’t there!”

First-party vs. third-party cookies

Yep, there are different types of cookies to fill our browser’s tummies:

• First-party cookies: Stored by the website you’re visiting. They remember your settings, what’s in your shopping cart, and more.
• Third-party cookies: Stored by someone other than the website you’re on, often advertisers. These are the cookies that follow you around the web, serving up that pair of shoes you glanced at once but didn’t buy.

Enter the cookie grabber

This tool, known as a cookie grabber, is designed to snatch those cookies. The danger? It can grab both types of cookies, even those with sensitive info such as your login details.

For instance, you visit a site with an embedded cookie grabber. Without a hint of suspicion, you log in, and just like that, your session cookies are stolen. Now, the attacker has a key to your digital kingdom and access to your accounts on other platforms, all from a simple, unnoticed theft.

It gets more unsettling. Let’s talk about websites that store your credentials—your usernames and passwords—in plain text right in your browser. It sounds technical, but here’s the deal: sometimes, when you log into a site, it keeps a record of your login details in a format anyone can read. If your computer is compromised or you’re on a shared computer, someone could use a basic tool, such as a hex editor, to see these credentials. It’s like leaving your house keys on a park bench and walking away.

Imagine logging into a website that doesn’t take your privacy seriously. Your credentials are stored in plain text in a cookie. You’re none the wiser, but a hacker or even a nosy roommate could extract this information with ease, breaking into your accounts as if they were their own:

Figure 2.5 – Using a cookie grabber, you can assume someone’s account or identity

How to protect yourself

Both VPNs and proxy chains serve as effective tools for maintaining online privacy. They help in obscuring your real IP address, making it difficult for third-party cookies to track your internet activities. This is especially valuable in today’s digital world, where online tracking and data privacy are major concerns. However, it’s important to choose reputable VPN and proxy services, as they have access to your internet data. Always prioritize services that are known for their strong privacy policies and commitment to user security.

DuckDuckGo: the unsung hero of privacy-focused browsing

If mainstream browsers are the attention-seeking reality TV stars of the digital world, DuckDuckGo is the introverted genius no one’s heard of but should have. DuckDuckGo is on a mission to simplify online privacy. The plucky company blocks hidden trackers that follow you around the web. Their software firewall shuts down attempts to collect your search history and personal information.

DuckDuckGo’s products are entirely focused on giving you control over your data. Their search engine never stores search history or user information. All searches are private by default. The browser extension and mobile app also block invasive trackers lurking on websites.

Figure 2.6 – DuckDuckGo is a great browser to hide yourself

Encryption provides another layer of protection by securing connections between you and websites. Together, these tools form an effective privacy shield to stop advertising companies and other third parties from profiling you.

DuckDuckGo makes money by showing keyword-based ads instead of creepy targeted ones, so they have no need to create personal data profiles. Their business aligns with their mission to put privacy first.

So, you’re ready to make the switch? Excellent. But you can’t just storm out of one relationship and into another without some prep. Here’s how to do it:

1. Download and install: Get your chosen privacy-focused browser.
2. Import settings: Most browsers will allow you to import bookmarks and settings from your old browser.
3. Set as default: Make your new browser the go-to for all your digital escapades.

Browser alternatives: pros and cons of other private browsers

Now, let’s not romanticize DuckDuckGo as the only superhero here. There are other options too, each with its own set of perks and quirks.

Brave browser

This is one browser I recommend to everyone. It’s kind of the new kid on the block

The privacy-centric Brave browser (https://brave.com/) is an excellent starting point for obscuring your online activity. Brave blocks trackers by default, reducing the ability of third parties to monitor you.

Figure 2.7 – Brave is my personal choice for hiding my identity

For those wary of switching browsers, extensions such as Startpage offer similar protections.

Startpage displays a privacy score between one and five so you can see just how many trackers and cookies it foiled on each site. The details may shock you, but will ultimately empower you. Startpage also cloaks your identity from any trackers that do run by masking your digital fingerprint.

Figure 2.8 – The Startpage extension is available in the Chrome web store

While blocking trackers, you may need to permit certain benign cookies so sites function properly. Startpage allows you to approve cookies individually—no need for blanket access. For searches, Startpage queries Google anonymously so they can’t add to your creepy profile.

Between Brave’s robust protections and Startpage’s actionable insights, you now have potent weapons to evaporate your digital shadow. No longer will you be passive prey to cyberstalking trackers. The following are its pros and cons:

• Pros: It blocks ads and trackers by default
• Cons: The built-in ad system might not be everyone’s cup of tea

Tor browser

Tor (or The Onion Router) is a networked community united by a common cause—online privacy. Tor was born from rebellion. While governments spy and corporations track, Tor fights back. It’s an online resistance movement, with servers, relays, and nodes, run by volunteers worldwide. No single point can trace the full path.

Figure 2.9 – The Tor website

Tor scrubs metadata and masks IP addresses. Traffic is encrypted and re-encrypted as it hops through the privacy network. Like peeling back layers of an onion, each relay only knows the next stop, not the final destination.

This is only possible through strength in numbers. Thousands of selfless volunteers lend their computers as Tor nodes. These diverse entry, middle, and exit points form the decentralized backbone of the network. Censorship-resistant connections sealed with privacy-protecting encryption.

Tor is free software (https://torproject.org) built by a community of believers. The code is open for all to inspect and improve. Transparency keeps Tor true to its mission. There are no shady backdoors or hidden agendas baked into the tools. The following are its pros and cons:

• Pros: Tor offers the highest level of anonymity
• Cons: It has a slower browsing speed due to multiple server hops

But Dale, what browsers would you stay away from? Well, folks, that list goes a little like this (in no particular order):

• Google Chrome
• Microsoft’s Edge
• Firefox
• Opera
• Safari

Your browser is your first line of defense against cyber threats. It’s more than just a gateway to the internet; it’s the fortress that guards your data with solid power. Make the change and fortify your browser today. Your digital self will be grateful for the extra protection.

Creating and managing online personas – Sock puppets

Now, before your imagination runs wild, no, we’re not talking about crafting a delightful puppet out of your favorite pair of socks. Sock puppets are fictitious online identities created for the purposes of deception, manipulation, or information gathering. Like puppets on an entertainer’s hand, they are characters that allow the puppeteer to take on a different persona and interact incognito.

While not inherently illegal, sock puppets are often frowned upon due to their capacity for abuse. They can be used to spread misinformation, artificially boost popularity, harass others anonymously, or infiltrate communities under false pretenses. However, they also have legitimate uses in fields such as investigative journalism or penetration testing.

There are several motivations for individuals and organizations to use sock puppet accounts:

• Anonymity: The primary purpose is to dissociate online activities from one’s true identity. This anonymity facilitates information gathering without revealing oneself.
• Deception: Sock puppets allow one to influence conversations, share false information, and manipulate perceptions. This deceptive capacity can be used for infiltration or social engineering.
• Reconnaissance: They are effective tools for gathering intelligence about people, organizations, topics of interest, etc. without detection.
• Privacy: Some may simply want to protect their privacy by separating their online presence into multiple unconnected identities.

Setting the stage: creating your sock puppet

An online persona created for the purposes of anonymity and information gathering can be a powerful tool when applied ethically. Sock puppets serve as digital chameleons, blending into the online environment to collect open source intelligence without revealing the investigator’s true identity. This practice is particularly valuable in scenarios where revealing one’s identity may skew the information obtained or pose a risk to the investigator’s safety.

Imagine, for example, a cybersecurity expert tasked with assessing the security of a financial institution. By ethically deploying a sock puppet, they can interact with suspect phishing sites or malicious actors to understand their tactics—without exposing the institution or themselves to undue risk. It’s a bit like an undercover cop in the digital neighborhood, watching and learning but not interfering.

Additionally, sock puppets can play a crucial role in tracking cyber threats. They can be used to monitor dark web forums or infiltrate cybercriminal networks, gathering intelligence on emerging threats, data breaches, or the sale of stolen data. This allows cybersecurity professionals to warn potential victims and fortify defenses before any actual harm is done.

The ethical use of sock puppets in OSINT is underpinned by a strict code of conduct: they are not used for deception or manipulation, but rather as a shield to protect the identity of the security professional while they gather the necessary intelligence to bolster our digital defenses. It’s a cloak of invisibility for the good guys, allowing them to observe and report without becoming targets themselves.

Here are some things to consider when creating your sock puppet:

• Clearly define the purpose of your sock puppet. It could be for research, data collection, or cybersecurity exercises. Always have a clear and ethical goal in mind.
• Creating a sock puppet starts with crafting a believable persona. Kind of like building a character for a play, you’ll need a backstory, interests, and even quirks. Tools such as the Fake Name Generator (https://www.fakenamegenerator.com/) or NameFake (https://namefake.com/) can be your best pals here, helping you come up with a genuine-sounding identity.

  Expand beyond just a name to create an identity, including the following:

  • Date and place of birth
  • Hometown
  • Education and work history
  • Interests and hobbies
  • Favorite books, movies, music
  • Political views
  • Religion
  • Photos and images

  Some will call these steps pretexting.

Note

Oh, is that a new word for you? Well, what I mean by pretexting is not just pretending to be someone else; you’re creating a whole backstory, setting, and script to make it believable.

• You’ll want to have an image/photograph of your persona to make your puppet look as real as possible. A website called https://thispersondoesnotexist.com/ does a great job of using completely AI (artificial intelligence) generated images of folks. This way, someone can’t do a reverse image search to find out that you just borrowed someone else’s photo.

Figure 2.10 – Yep, this isn’t anyone in real life; it’s AI-generated (https://thispersondoesnotexist.com)

• You’ll want to set up a dedicated email account for your persona. You can you a service such as 20 Minute Mail (https://www.20minutemail.com/).
• Set up some accounts and profiles on social platforms for your sock puppet.

Note

Remember, the key to a great performance is consistency, so maintain the same persona across different platforms

• Utilize VPNs (such as https://www.expressvpn.com/) to mask your IP address and consider using browsers that prioritize user privacy, such as Tor (https://www.torproject.org/), to keep your real identity hidden behind the curtain.

I was once interviewed by a reporter. I preferred to keep my anonymity. I chose to use Tor, which encrypts internet traffic by routing it through several servers worldwide. Along with an encrypted messaging service found on the dark web, I was able to communicate with this reporter securely. Our discussions were completely private, with no risk of being traced back to us. Don’t forget to give your puppet a phone number! Using a service such as TextFree (https://textfree.us/), you can send and receive text messages without exposing your real number. It’s kind of cool.

Setting up anonymous communication

To prevent sock puppet accounts from being linked back to their creators, anonymous communication channels are essential. This involves creating untraceable email addresses and burner phones.

When setting up the puppet’s email account, consider the following:

• Avoid unusual providers that raise red flags
• Use common services such as Gmail or Outlook
• Create the address through public Wi-Fi or a VPN to remain anonymous
• Ensure the name sounds realistic and doesn’t just use random characters
• The email will be used for registering accounts, so anonymity is key

Burner phones are clutch for keeping your investigation on the down low, but you have to use them carefully. Only use a burner for stuff directly tied to your case—calls, texts, 2FA codes, etc.

Figure 2.11 – Some of my personal burners I’ve used for engagements

Never ever save sensitive docs, names, dates, locations, or other case details on the device. Remember, burners can still get tapped, hacked, or compromised despite being disposable. So, take extra precautions such as using encrypted chat apps (Signal and WhatsApp), not linking the burner to personal accounts, turning off GPS, removing metadata from pics, and regularly clearing caches. Use code names when contacting sources instead of real ones.

When conducting an OSINT investigation, the responsible management of burner devices is a crucial step in the operation’s lifecycle. When an investigation concludes or if there’s a suspicion that the integrity of a burner has been compromised, it’s time to ensure that the device is retired securely and professionally. You’ll want to take one of two steps in handling these devices:

• Archive the device responsibly: This is akin to how sensitive materials are handled post-operation—maintaining a clear chain of custody. By securely storing the burner with the client, alongside any other used equipment, we ensure that all resources, data, and potential evidence remain intact and under proper oversight. This practice isn’t about hoarding hardware—it’s about the meticulous separation of duties and maintaining an unimpeachable professional standard.
• Have a meticulous decommissioning process: Begin with a thorough factory reset to erase all data, a standard procedure in the industry. Then, physically disassemble the device. Removing and rendering the SIM card unusable is essential—this may involve cutting it into pieces, a method endorsed by security protocols to prevent data recovery. Deconstructing the device further—separating the screen from the battery, for example—is a measure taken to ensure that no recoverable component falls into the wrong hands. Disposal should be executed with discretion and distributed across various locations to mitigate the risk of data reconstruction.

These measures aren’t the cloak-and-dagger tactics of a crime drama; they’re the bread and butter of ethical hacking and professional digital investigation. A burner phone is a shield, safeguarding both the investigator’s anonymity and the integrity of their work. Employing these devices, with their eventual disposal, is a testament to a professional’s commitment to security and confidentiality in a field where the stakes are invariably high.

Remember, every step we take is geared toward strengthening security postures and uncovering vulnerabilities before they can be exploited maliciously. Our practices are transparent to clients and within legal bounds, ensuring that our work always aligns with the noble goal of protecting assets and information in a world increasingly reliant on digital infrastructures.

By keeping communication anonymous, there will be no way to connect sock puppets to their creators. The accounts will appear entirely self-contained.

Maintaining anonymity is crucial when creating sock puppet accounts in order to preserve privacy and enable deception. Untraceable communication channels are essential to this goal.

Pulling the strings – Operating your sock puppet

Now that your puppet is ready to grace the cyber stage, it’s important to follow some ethical guidelines:

• Transparency with stakeholders: If you’re using sock puppets for research or corporate exercises, maintain transparency with stakeholders about your methods and intentions.
• Data protection: Be a guardian of data protection. Collect only the data necessary for your research and handle it with the utmost responsibility.
• Documentation and reporting: Keep meticulous records of your puppet’s activities. This not only helps in presenting your findings but also ensures accountability.

Leveraging gender dynamics in sock puppet operations

When diving into the cyber investigative scene, piecing together your online alter ego is part art, part science, and all about walking that ethical tightrope, especially when it comes to gender dynamics in the digital world. Yes, the internet’s chock-full of gender stereotypes, but when we’re crafting these personas, we’ve got to handle them with care.

Imagine you choose to use a female character for your online disguise. It’s true that being a woman might help in some situations because of how people have always interacted socially. But remember, we’re not here to trick people just for the sake of it. We’re smart about how we do things, not sneaky. The real point is that you can use smart moves such as the honeypot method, where you might act a bit flirty and vulnerable to get your target’s attention. But doing this means you have to be really careful about staying ethical. It’s about gathering information in a clever way, not misleading or using people.

When it comes to making your sock puppet believable, the devil’s in the details. Skip the stereotype rehash and give your digital decoy some real personality. A dash of unique flair makes your puppet more than just a bunch of pixels—it becomes a believable character that can gain trust where it’s needed most.

Note

Here’s a pro tip: keep your sock puppet on a completely different leash from your real online life. Think virtual machines, sandboxed browsers—the works. Mixing the two is like wearing socks with sandals; it just doesn’t look right. This is how you keep your cover story tight and your real identity under wraps.

These sock puppet shenanigans have their place on the right side of the cyber tracks. They’re dynamite for infiltrating shady online groups to sniff out security risks or pretending to be a greenhorn in your own company to see who bites the bait in a phishing test. It’s all about putting those cybersecurity hats on and using our powers for the good guys.

So, let’s keep it smart, keep it ethical, and remember—we’re here to stop the baddies, not join them.

Email and messaging anonymously

Using an anonymous email address is critical for OSINT investigators who want to obscure their identity and maintain privacy when interacting online. Email addresses often serve as a gateway to a person’s real identity, providing clues and links regarding who someone actually is. Without anonymity, the OSINT researcher risks their personal information being exposed if their email is linked to forums, services, or social media used in an investigation. This could make the researcher vulnerable to hacking, doxing, retaliation, or unwanted association with certain groups or causes.

Creating a completely dissociated email address tied to no identifying details is therefore vital for secure, private OSINT work. The anonymous email should never be used for anything that could reveal personal details. It should not be the address listed on social media, professional sites such as LinkedIn, shopping accounts, etc. Ideally, it should be generated using a service such as Proton Mail (https://protonmail.com/).

Figure 2.12 – Proton Mail can help to hide your real identity

Alternatively, a Tuta email (https://tuta.com/) does not require any valid personal info to create.

Figure 2.13 – Tutanota anonymous email

Using a dedicated anonymous email address allows the OSINT investigator to register for forums, make inquiries, and communicate without concern that their real identity will be uncovered. It is a critical line of defense to preserve anonymity.

Conducting OSINT investigations comes with inherent cybersecurity risks. With online privacy and anonymity as core principles of ethical OSINT, practitioners must continuously take steps to stay ahead of emerging technological threats. This requires vigilance in keeping up with the latest security issues, learning from past incidents, and improving personal practices.

Keeping up with privacy and security news

Monitoring cybersecurity and privacy news is essential for understanding the ever-evolving risk landscape. Subscribe to threat advisory services such as the following to receive timely notifications on vulnerabilities and new attack methods:

• CIS Cybersecurity Threats (https://www.cisecurity.org/cybersecurity-threats)
• US-CERT bulletins (https://www.cisa.gov/news-events/bulletins)

One of my personal favorites is in fact the US-CERT bulletins. Not only do they not favor any vendor, but their bulletins are really thorough.

Figure 2.14 – US-CERT bulletins

If you want to be like the cool kids in cyber security, you need to also be reading security blogs and news sites such as these:

• Krebs on Security (https://krebsonsecurity.com/
• Privacy News Online (https://www.privateinternetaccess.com/blog/)
• SCHMOOZE OSINT (https://www.sangoma.com/

These resources will help you to stay current on relevant developments.

You should also follow leading information security voices on social media and attend conferences such as DEF CON, Blackhat, or Bsides when possible.

Learning from past breaches and incidents

Studying major past breaches through post-mortem analyses reveals important lessons. The 2016 LinkedIn breach (https://www.forbes.com/sites/daveywinder/2024/01/23/massive-26-billion-record-leak-dropbox-linkedin-twitterx-all-named/?sh=2ab1fc93ab58) exposed how hacked third-party data enabled new attacks through information cascades. High-profile doxing and harassment campaigns such as Gamergate (https://www.nytimes.com/interactive/2019/08/15/opinion/what-is-gamergate.html) spotlight the real-world damages when OSINT is weaponized. Examining practices employed by rogue investigators also explains risks such as social engineering that ethical OSINT researchers must avoid.

Strong anonymity practices are the OSINT investigator’s first line of defense. Routinely search your name online to inventory digital footprints and close any leaks of personal details. Adopt tools such as Tor, virtual phone numbers, and anonymous emails to insulate your real identity. Compartmentalize identifiable information and maintain separate devices and accounts for OSINT activities. Make continuing education on privacy a priority—new identifying threats are always arising.

Ethical OSINT investigators can keep their personal security intact and research safely with vigilance across these areas. The threats are always evolving, so continued effort is required to stay ahead of the game. Up next, we’ll look at the methods and techniques that one can use during an OSINT investigation.