How did a bunch of online citizen investigators solve the mystery of the perpetrators’ identities during the Salisbury Poisonings investigation in the UK? To find out, you need to learn about open-source intelligence and the power of free tools available to everyone.
Let’s start with a question. Did you realise how powerful open data is when conducting an intelligence review or investigation? You don’t need to be a private investigator to use open-source intelligence to your advantage, and even as a rookie, you’ll get a lot more insight into your target than you ever thought possible. This article takes a look at OSINT, as it’s called, and the tools you use to keep yourself safe while undertaking these sorts of investigations.
Getting Started
Every public register, social media post, corporate filing, satellite image, and government gazette is a thread waiting to be pulled into your investigation. Open source intelligence — OSINT [Ozint] — is the discipline of pulling on those threads, without compromising yourself legally, and without accidentally unravelling yourself in the process.
I will start with a caution. OSINT is not a hobby for the careless. If done well, it produces actionable intelligence from publicly available information. Done badly, it can result in lawsuits, compromised investigations, and the kind of embarrassment that follows you around for years. It is vital that you understand the intelligence lifecycle — process, privacy, and security baked into every step — and use the tools that actually work for investigators operating in Australia.
Note: I have written this from an Australian point of view, but this can work in any jurisdiction, but you must absolutely categorically know your own laws before you start.Step One: Planning and Preparation
Most people dive straight into searching. This is the investigative equivalent of running into traffic because you spotted something shiny on the other side of the road.
Please, please, please, before you touch a search engine, define your objective. What question are you actually trying to answer? Who or what is the subject? What is the scope? What are the legal boundaries? In Australia, for example, the Privacy Act 1988 governs how personal information can be collected and used. If you are a licensed investigator, state legislation adds further constraints. If you are a journalist, ethical codes apply. If you are none of the above, proceed with even more caution as some of the laws that protect those with licenses do NOT apply to you.
Start with Security
Set up a clean research environment before you begin. Download the Trace Labs OSINT VM or build your own on Kali Linux. If you have a separate computer you can use, keep that specific to that task. If not, use VirtualBox—an open-source virtual machine tool. Create burner accounts (expendable accounts not tied to your name) for any platform you intend to search — use a dedicated email address, a VPN (a paid one, not a free data-harvesting operation masquerading as privacy software), and never, under any circumstances, conduct research from your personal accounts. Some platforms notify users when someone views their profile (you see this overtly on LinkedIn, but many sites provide this data behind the scenes and track even if you don’t authorise it). If your subject discovers you are looking at them, your investigation may be compromised before it begins.
Process note: I strongly advise you to document your methodology from the outset. Record what you plan to search, why, and under what authority or purpose. Australian courts have increasingly scrutinised the methodology behind digital investigations, and a defensible audit trail is no longer optional.
Step Two: Collection
With your objective defined and your environment secured, you begin gathering data. OSINT sources fall into several broad categories, each with its own tools and its own pitfalls.
People and identity searches: In Australia, the ABN Lookup and ASIC Connect registers are your starting points for corporate and business intelligence. They reveal the names of company directors, registered addresses, and business name histories. The Australian Electoral Roll (available through ancestry platforms) and Trove — the National Library of Australia’s extraordinary archive of digitised newspapers and media — provide historical and biographical context that commercial databases often miss. For social media analysis, tools like Sherlock (username enumeration across platforms) and Maltego (relationship mapping) remain industry staples.
Geospatial and imagery intelligence: Google Earth Pro, Sentinel Hub for satellite imagery, and SunCalc for chronolocation are all freely available and remarkably powerful. For Australia-specific geographic data, Geoscience Australia maintains spatial datasets covering everything from land use to natural hazard mapping.
Domain and infrastructure research: Shodan reveals internet-connected devices and their vulnerabilities. SpiderFoot automates reconnaissance across hundreds of data sources. The Wayback Machine lets you examine historical versions of websites — useful when subjects have a habit of making inconvenient content disappear.
Privacy callout: Just because information is publicly available does not mean you can do whatever you like with it. Collecting data is one thing. Storing it, sharing it, and acting on it are governed by separate and sometimes stricter rules. Every piece of data you collect should be relevant to your stated objective and nothing more. Over-collection is not thoroughness — it is a liability.
Security callout: Watch your own digital footprint during collection. Clicking a link on a subject’s personal website can log your IP address. Downloading a document can expose metadata about your system. Use browser isolation tools, disable JavaScript where possible, and route traffic through your VPN.
Step Three: Processing and Analysis
Raw data is not intelligence. A pile of screenshots, company records, and social media posts is just a pile until you organise, cross-reference, and verify it.
This is where analytical frameworks earn their keep. Link analysis tools like Maltego (there is a community edition that is free) or the fully open source Gephi allow you to map relationships between entities — people, companies, phone numbers, addresses — and spot patterns invisible in a spreadsheet. Timeline tools like TimelineJS help reconstruct sequences of events from disparate sources.
The critical discipline here is verification. Every data point should be confirmed through at least two independent sources. A social media profile claiming a particular location means nothing until corroborated by metadata, geolocation analysis, or a separate record. In the OSINT world, single-source intelligence is a hypothesis, not a finding.
Process note: Maintain a clear chain of custody for your evidence. Use Hunchly (a web capture tool designed for investigators) or a similar tool to automatically archive and timestamp every page you visit during research. In Australian legal proceedings, the provenance and integrity of digital evidence matter enormously. A screenshot without metadata is an assertion. A Hunchly capture is documentation.
Privacy and security callout: Analysis often involves combining datasets. The moment you merge information from different sources, you may be creating a more detailed profile of your subject than any single source provides. Be conscious of proportionality. And keep your analytical work files encrypted — losing a USB drive containing a half-completed investigation profile is the kind of operational security failure that ends careers.
Step Four: Dissemination
Intelligence that sits in a folder helps nobody. The final step is presenting your findings in a format appropriate to your audience — whether that is a court, an editor, a board, or a client.
Structure your report around the original objective. State your methodology clearly. Distinguish between established facts, assessments based on multiple sources, and remaining gaps. If you used tools like Maltego, include visualisations that make complex relationships comprehensible to non-specialists. If your findings are destined for litigation, ensure every exhibit meets evidentiary standards under Australian law.
Security callout: Sanitise your report before distribution. Strip metadata from documents using ExifTool or MAT2. Ensure your report does not inadvertently reveal your investigation methods, source identities, or system information. The output of your investigation should illuminate the subject, not the investigator.
The Power of Open Source: Bellingcat and the Salisbury Poisonings
If you need proof that open-source intelligence can achieve what state-level agencies struggle to accomplish publicly, look no further than Bellingcat.
In March 2018, former Russian spy Sergei Skripal and his daughter Yulia were poisoned with the nerve agent Novichok in Salisbury, England. British authorities identified two suspects travelling under the names Alexander Petrov and Ruslan Boshirov. The men appeared on Russian state television, claiming — with breathtaking implausibility — that they were tourists who had visited Salisbury to admire its famous cathedral.
Bellingcat, working with investigative partner The Insider, dismantled that cover story using only open-source techniques. By cross-referencing passport data anomalies, leaked Russian databases, vehicle registration records, residential address histories, and telephone metadata, they identified “Boshirov” as Colonel Anatoliy Chepiga of Russia’s GRU military intelligence — a decorated Hero of the Russian Federation. They subsequently identified “Petrov” as Dr Alexander Mishkin, a GRU military doctor. They then went further, uncovering a third GRU officer, Major General Denis Sergeev, who appeared to have commanded the entire operation from London.
The investigation prompted Moscow to erase public records of all three men — an unprecedented act that, paradoxically, only confirmed Bellingcat’s findings. The work earned the European Press Prize for Investigative Reporting and forced a reckoning within Russian intelligence that led to internal purges and the exposure of additional botched GRU operations across Europe.
A small team of investigators, armed with laptops and publicly available data, identified state-sponsored assassins that a nuclear power had spent years hiding. That is the power of open source intelligence, practiced with discipline, rigour, and an unwillingness to accept the official story at face value.
The information is out there. The question is whether you have the methodology — and the integrity — to use it properly.