Introduction to Open Source Intelligence

(OSINT) and Public Domain Tips and Tools

Diana Ngo
Associate Director, Blackpeak
About Blackpeak Group
• International investigative
research and risk advisory
firm
• North America—USA
• Greater China—Mainland China,
Hong Kong, Macau, Taiwan
• North Asia—Japan, Korea,
Mongolia
• India
• Southeast Asia—Singapore,
Indonesia, Vietnam, Malaysia,
Thailand, Philippines, and others
• Oceania—Australia, New Zealand
 Types of Projects

Business Intelligence
Due Diligence Corporate Investigations
Research
 About Diana Ngo
• Associate Director, Blackpeak
Group
• Worked and lived around the
world—United States, France,
Switzerland, South Korea,
Mainland China, Hong Kong,
Thailand, and Singapore
• Manages complex reputational and
investigative enhanced due
diligence projects for Blackpeak
 What We’ll Cover Today

• Introduction to OSINT
• Public Domain Tools and Techniques
• Social Media Investigations
• How Search in a Foreign Jurisdiction
• Case Studies
Introduction to OSINT
 OSINT
Definition:
• Data collected from all publicly available sources
• The term “open” refers to overt (versus covert) information
• The data is used for intelligence purposes
 When Do You Use OSINT?
OSINT is often the most important step, as we lay the
foundation or find or employ other methods to
complete the task.
• It can also lead to
information that the
investigator may need to
OSINT
verify and corroborate, as
well as uncover leads that
OSINT were unknown before.
• The process is ideally
+
Source Inquiries
Site Visits iterative to get the best
possible outcome.
 When Do You Use OSINT?
In our work, OSINT is important as we are
independently and discreetly gathering and
analyzing information to look for undisclosed
incidents or risks. Some of the issues we may look
at include:
• Fraud • Regulatory • Commercial
• Corruption breaches disputes
• Sanctions • Labor problems • Other such risks
• Money • Litigation and reputational
laundering matters issues
 What Types of Cases Can You Use
OSINT For?
The following are just a few situations in which
OSINT searches are valuable:
• Fraud • Asset searches
• Embezzlement • Competitive intelligence
• Due diligence • Sanctions
• Intelligence gathering • Criminal searches
• Phishing schemes
• Loss prevention
 OSINT Resources
Examples of OSINT resources:
• Public records (i.e. corporate, litigation,
bankruptcy, regulatory)
• Social media
• Online databases
• Internet searches
• Media articles
Source Reliability
Official
statements

Newspaper and media (Who

wrote it? What is the original
source?)

Press releases, company websites, job

advertisements

Blogs and online forums

Recording Information
 How to Preserve and Record Your
Information
What do you need to document?
• Note down links
• Any correspondence
• Screen shot everything
• You may want hard and digital copies of everything

REMEMBER it’s online and it can (and will!)

change
Personal Privacy Concerns
 Protecting Yourself
Investigators should be aware that:
• Different websites have different disclosure policies
• Your IP address will be exposed
• Your suspect might be monitoring access to a certain website
• Your identity might be revealed and compromise the
investigation
• There are legalities and ethics of directly engaging with your
subject
The Ethics of Privacy When Using
Social Media
 Ethics of Privacy
Investigators have concerns about infringing on the privacy of
others
• Social media platforms have an expressed terms and conditions
• Users choose what to make public
• It is also the investigator’s responsibility to understand and abide
by the laws in their jurisdiction!
 Ethics of Privacy
In some cases, privacy issues are a balancing act
Legal Issues
 Legal Issues
In Asia:
• Depends on the jurisdiction
• Privacy laws
• Various terms and conditions
• Licensing for investigators
• Gray areas…
 Legal Issues
Case Study—ChinaWhys:
• ChinaWhys founders Peter Humphrey (Yu Yingzeng)
charged with “illegally obtaining information on
Chinese citizens”
• Personal information
• Information on assets
• Surveillance
 Legal Issues
In Singapore:
• Investigation firms required to have a private
investigator license
• Personal Data Protection Act
• Privacy laws
 What We’ll Cover In Section 2

• Public Records Searches

• Internet Tools and Techniques
Public Records Search
 Level I and II Research

• Research and analysis of:

• Corporate filings
Level I • Specialist databases
Public Records • Media and other desktop research
involving subscription-based/special-
access databases)
• Discreet human
Level II inquiries with relevant
Public Records experts/other sources
+
Source Inquiries familiar with targets
Site Visits • Site visit to target
locations
 Sources for Level I Research
Google, Baidu, Bing
SEARCH
Published Media, Factiva

Corporate Filings
GOVERNMENT Litigation Records
DATABASES
Local Regulatory Databases

SUBSCRIPTION & Dow Jones, Worldcheck

PROPRIETARY
DATABASES Tolfin and ICRIS

LinkedIn, Facebook, Twitter, Weibo, WeChat

SOCIAL MEDIA &
INTERNET
FORUMS Tieba, QQ, BBS
 Databases: Where To Find It?
PRC TAIWAN HONG KONG
SAIC websites Ministry of Economic ICRIS
CORPORATES Corporate filings Affairs Hong Kong Stock
Exchange
Zhixing Taiwan Judicial Yuan’s Law Tolfin
Shixin and Regulations Retrieving Hong Kong Judiciary
LITIGATION China Court Judgments System D-Law
Tolfin Ministry of Justice -
(5 others) criminal cases
No database, but partially Covered in litigation search Official Receiver’s
BANKRUPTCY covered in litigation Office
searches
Dow Jones Dow Jones Dow Jones
Local databases Securities and Futures Worldcheck
REGULATORY Bureau HKSFC
ICAC
 Databases: Where To Find It?
INDIA INDONESIA SINGAPORE
Ministry of Corporate Affairs Directorate General of ACRA; QuestNet;
Public Law Administration; SCCB
CORPORATES Ministry of Justice and
Human Rights
Supreme Court of India; Delhi Indonesia Supreme Court; QuestNet; LawNet;
High Court; Various State High Various Jakarta District Singapore Law
LITIGATION Courts Courts Watch; Supreme
Court
Ministry of Corporate Affairs- Not Available IPTO (Questnet)
Official Liquidators; Board of
BANKRUPTCY Industrial and Financial (covered in litigation
Reconstruction; Debt Recovery searches)
Database
Dow Jones; Credit Information Dow Jones Dow Jones; MAS
Bureau (India) Limited; Reserve KPK
REGULATORY Bank of India; Securities and
Exchange Board of India (SEBI)
(and 16 others)
Paid Databases: Factiva
Paid Databases: Factiva
Paid Databases: LexisNexis
Paid Databases: Tolfin
Paid Databases: Tolfin
Paid Databases: World Check
Paid Databases: World Check
Paid Databases: Dow Jones Risk
Paid Databases: Dow Jones Risk
Internet Tools and Techniques
 Search Domains Overview
Category Examples / Remarks
Browser Choice and Extensions FireShot, Hunchly, Disconnect, ABP
Images and Videos Reverse searching, EXIF data, background info,
YouTube data
Email Addresses Reverse search, linked domains, forum posts,
potential username
Phone Numbers Reverse search, social networks
WHOIS Domain Registration Registrant information
IP Addresses Geolocation
Documents Filetype search, Cloud, Document Metadata,
Pastebins
Google Maps / Earth Background info, scoping of area
Web Archives / Cache Deleted info, comparing changes
Classifieds, Forums and Communities Craigslist, Online Dating, Prostitution, Reddit
 Browser Basics
Recommended: Chrome or Firefox

Browser hygiene:
• Clear your browsing data
• Disable password auto-fill
 Browser Basics: VPN
What is a Virtual Private Network (VPN)?
• A network that extends a private network across a public network
• Creates a secure and encrypted connection
• Masks your identity online (IP address, approximate location, ISP)
 Browser Basics: VPN
Recommendations: Private Internet Access, ProtonVPN
 Browser Basics: Tor
What is Tor (The Onion Router)?
• Free and open source, volunteer-operated servers
• Usually slower Internet speeds
• Connect through a series of virtual tunnels rather than a direct connection
• Distributed traffic with separate set of encryption keys for each circuit hop
• Access dark Web but be warned: child porn, drug shops, hackers for hire,
and weapons
• Use ahmia.fi to search for indexed .onion network links
 Browser Extensions
Some browser extensions:
• Adblock Plus — adblockplus.org
• Disconnect.me — blocks website tracking
• Download Helper — assists with downloading videos found on
a site
• EFF Privacy Badger — blocks spying ads and invisible trackers
• Exif Viewer — image metadata
• FireShot — generate screenshots
• HTTPS everywhere — encrypts communication with most
major websites
• Hunch.ly — paid investigations tool
• Resurrect Pages — historical search on deleted websites
 Browser Extensions
FireShot capture options Disconnect.me Toolbar
 Disconnect Visualizer
Disconnect Visualizer — Forbes.com
 Hunch.ly
Paid tool but worth a mention:
• Optimizes data capture and analysis
• Takes full content captures of every Web page visited
• Tracks usernames, phone, and email addresses automatically
• Stored on your hard drive, not cloud
 Google and Baidu Search Operators
GOOGLE BAIDU
Search exact phrase “subject” “subject”
Exclude word in searches -subject -subject
Search within a website site:[url] site:[url] (no need to include
http://)
Searches that link to a website Link:[url] N/A
Search a cached version of the site Cache:[url] N/A
Search a particular file type Filetype:pdf N/A
Search for a term in the website URL N/A Inurl:[subject]
Search for a term in the website title N/A Intitle:[subject]
Search more than one term OR (capitalised) N/A
Wildcard * N/A
Using ‘Site’ Command for Stock
Exchange Website Workaround
Using ‘Site’ Command for Regulatory
Website Workaround
 Using ‘Site’ Command

Live Demonstration

U.S. Securities and Exchange Commission

www.sec.gov
‘Dirty Word’ Search Strings

Normal Search: 17.5 million

Results

‘Dirty Word’ Search: 273

Results

“Search term” AND term1

OR term2 OR term3, etc.
 ‘Dirty Word’ Search Strings

Live Demonstration

Google Search String for Litigation

target (sued | suing | suit | suspend | terrorist | threat | trespass |

verdict | violate | warrant | porn | slave | “forced labour” | “forced
labor” | “child labour” | “child labor” | servant | servitude |
exploitation)
 Google Advanced Searching

Free Google Course — www.powersearchingwithgoogle.com

 Google Advanced Searching
Google Advanced Search — www.google.com/advanced_search
 Search Engines and Sources
Google
• Alerts — google.com/alerts
• Groups — https://groups.google.com
• News Archives —https://news.google.com/newspapers
• Patents — https://patents.google.com
• Scholar — https://scholar.google.com

Bing and Yahoo

• Alternatives to Google
• Potentially different search results prioritized
 Search Engines and Sources
Privacy-oriented
• Disconnect Search — https://search.disconnect.me
• DuckDuckGo — https://duckduckgo.com
• Qwant — https://www.qwant.com
• StartPage — https://www.startpage.com

Yandex
• Largest search engine in Russia
 Google Alerts
• Useful for monitoring of
online mentions of your
investigation subject
• Customizable
• Remember to use
quotation marks for
specific search terms
 Archived or Cached Pages
View archived websites, compare information
before/after, and get around paywalls

Archive.is
 Archived or Cached Pages
www.archive.org

• Was company operational

when It claimed to be?
• Did individual in fact work
at past company?
• Censored content
 Archive.org

Live Demonstration

Archive.org look at blackpeakgroup.com

 Proxy Sites
If you are unable to access a website in your jurisdiction and do not
have VPN, proxy sites may come in handy:
• hide.me/en/proxy
• proxysite.com
 Reverse Image Searches
The Main Five: Google, Baidu, Bing, Tin Eye, Yandex

• Related companies/websites
• Names of individuals
Reverse Image Searches: Exif Data
Imgops.com
Reverse Image Searches: Exif Data
 More Image Tools
More image tools:
• Jeffrey’s Image Metadata Viewer — http://exif.regex.info
• Magnify pictures — https://29a.ch/photo-forensics
• Online barcode reader — https://online-barcode-
reader.inliteresearch.com
E.g., a discarded boarding pass can yield
valuable leads
 More Image Tools
Image manipulation tools:
• Analyzes a photo to check for edits
— http://www.izitru.com
• Digital picture analysis —
fotoforensics.com

The above site provides error-level

analysis, a forensic method to
identify portions of an image with a
different level of compression. Allows
you to identify if a picture has been
digitally modified.
 Case Study: Using Images
Subject’s WhatsApp profile picture

• Appears to be a bar or restaurant

• Search for “the jovial chef &” as seen in
background

 Case Study: Using Images
Corroborate with other open source images of The Jovial Sailor

Bingo! Provides a lead that your subject was in Woking, England

Narrow searches to the UK and the Woking area potentially
 YouTube Metadata
Ensure all possible metadata is
extracted
http://citizenevidence.amnestyus
a.org

Other Video Tools and Search

Domains:
• Deturl.com — download
videos
• Google Videos
• Bing Videos
 Whois Lookup
• Who registered the WHOIS sites:
website? www.whoisology.com
• In which jurisdiction www.viewdns.info
is the website www.whois.icann.org/en
registered?
• Is the same
individual/company
behind multiple
websites?
 Whois Lookup
www.whoisology.com
• Provides standard WHOIS data plus
• Ability to instantly search domain fields
• E.g., “Gilbert Cheng” has 3 other
domains linked to him and clicking on
this will provide instant results
 Whois Lookup
www.viewdns.info
 Whois Lookup
Example: reverse search using an email address

If other domains found, WHOIS every domain to ensure you

cover all bases
Whois Lookup

Live Demonstration

blackpeakgroup.com

&

it@blackpeakgroup.com
 Search Engine Marketing Tools
Use websites to see backlinks, search rankings,
and related info:
• Alexa rankings
• Semrush.com — SEO statistics and backlinks
• Changedetection.com — monitor website changes
• Pentest-tools.com/information-gathering/find-subdomains-
of-domain — find hidden links on a website
 IP and Domain Tools
• Backlink checker —
smallseotools.com/backlink-
checker
Shodan.io — search engine for
internet-connected devices (IoT)
• Robots.txt file search
• Instructs search engines not to index
certain files
• Find these files via:
acfe.com/robots.txt or use site
operator site:acfe.com “robots.txt”
• Provides insight into what the
domain owner considers sensitive
 Email Address
• What could you potentially find with an email address?
• Social media profiles
• Domains registered
• Classifieds and forum postings
• If email account has been compromised
• Start with basic “quotation mark” searches and expand
your search from there
• Pipl.com — good first point of search
 Email Address
Email Verification:
• Mailtester.com
• Verify-email.org
• tools.verifyemailaddress.io

Email permutations: http://metricsparrow.com/toolkit/email-

permutator
 Email Address + Skype
Bulk email validator for permutations: e-mailvalidator.com

Other tips:
• Use WHOIS to check for domains registered to email address
• Check hacked-emails.com and pastebin to see if it is compromised
• Username search: http://knowem.com

Search the Skype directory for your subject while logged in:
• User profile may have a photo, email address, user name
• This user name could be consistent across your subject’s social media
 Phone Numbers
Harder to trace, but some sites worth a try (most require
accounts):
• Pipl
• True Caller
• Thatsthem.com/reverse-phone-lookup
• Nextcaller.com

Note that many of these services are U.S.-focused and may not
yield leads that are as valuable in APAC
 Phone Numbers
Other tools and domains to search:
• Whocallsme.com
• Classifieds and forums (e.g., Craigslist, Gumtree, even escort
forums if there is even a hint your subject is into that)
 Online Communities
Communities that may provide further leads:
• Craigslist, eBay
• Asia-specific sites: Carousell, Qoo10, Taobao, Rakuten
• Reddit (e.g., reddit.com/r/rbi – reddit’s bureau of
investigation)
• Public Google calendars (e.g., site:google.com/calendar
“appt”)
• Local prostitution or escort ad sites/forums/review
boards
• Online dating/networking websites — Match, Ashley
Madison, Meetup
 Mapping
Mapping Tools:
• Google Maps —
maps.google.com
• Bing Maps —
bing.com/maps
• HERE WeGo —
wego.here.com

Editing Tools:
• Freemaptools.com
• Scribblemaps.com
 Document Search: Filetypes
Commonly Indexed Filetypes File Extension
Microsoft Word or Open XML Doc .doc / .docx
Microsoft Excel or Open XML Spreadsheet .xls / .xlsx
Microsoft PowerPoint Presentation .ppt / .pptx
WAVE or Mp3 Audio Files .wav / .mp3
Adobe Acrobat Portable Document Format .pdf
OpenOffice Files .odp / .ods / .odt
Text Files .txt / .rtf
Compressed Files .rar / .zip / .7z
Images .png / .jpeg / .jpg / .bmp
Google Earth .kml / .kmz
 Document Search: Methods

Search Methods:
1) Site:URL filetype:ext
2) “Search Term” filetype:ext (add hyphens + OR filetype:ext to
narrow results)
3) inurl:ftp -inurl:(http|https) filetype:ext “Search Term”
• Identifies File Transfer Protocol (FTP) servers that contain
your search term within the file
 Document Search: Cloud

Cloud providers worth searching:

• Google: docs.google.com and drive.google.com
• Microsoft: onedrive.live.com
• Amazon Web Services: search site:s3.amazonaws.com
“Search Term”
• Scribd
• ISSUU, Slideshare, Prezi
• >100 pastebin sites including pastebin.com, paste.org,
pastebin.ca, justpaste.it
Case Study
Case Study 1: United States

Whistleblowers
 The Allegations
Client receives two separate but nearly identical
whistleblower allegations:
• Claim to be shareholders of large multinational mining company (Giant
Mining) who are planning to enter into a JV with a mining company in
Latin America (LAT Mining)
• Understands Client to have invested in LAT Mining
• Alleged that an individual named Kim is the “operator” of LAT Mining
and is under criminal investigation
• Attributed Kim’s involvement in LAT Mining and another mine in Africa
(AFR Mining) as “dubious” because mines did not produce any material
• The mining appraiser, Lee, who did mining report for EUR Mining and
LAT mining was expelled from an accredited institution for failing to
document his qualification
 Client’s Questions

• Who are these whistleblowers?

• What’s their motivation?

 Whistleblowers
NY Man
• Early 20s man, working in
New York’s finance industry
• Graduated from the Temple
University in 2000s
• No corporate affiliations
found
• Reverse searches on address
found it linked to his father, a
doctor
• Family has two mortgages on
the East Coast
Whistleblowers
CA Man
• American working in California as
an operations manager
• Graduated from University of
California in 2012
• No corporate affiliations found
• Reverse searches on address
found CA Man’s parents
• Family owns three homes in
California
• Background suggests middle to
upper-middle class
 Whistleblowers

How did they cross paths?

 Investigation: Email Trace

Copy and
Open as
Save Email Paste into
Text
on Desktop Trace
Message
Website
Investigation: Email Trace
Investigation: Email Trace
Investigation: Email Trace
CA Man’s Email
Investigation: Email Trace
NY Man’s Email
Investigation: Metadata
Investigation: Daniel Park
CA Man and Daniel Park
• Went to the same high school
• Both graduated in 2008
 Investigation: Daniel Park

Daniel Park
• Was involved in track and field
at his high school
• Went to Temple University
• Same school as NY Man
• Google Searches did not find
info on “Daniel Park”
 Investigation: Daniel Park

Is the name “Daniel Park” his legal name?

Investigation: Daniel Park
 Investigation: Daniel Park
NY Man’s email was nyman@gmail.com
• People tend to use the same handle
 Investigation: Daniel Park
Assumed “Daniel” was a pseudonym for an Asian name with the
same starting consonant — “D”
 Investigation: Daniel Park

Confirm that “Dong Hyun

Park” is Daniel Park
• Daniel Park was a track and
field athlete
• Searched track and field
rosters for Temple U
• Found Dong Hyun Park and
Daniel Park named at same
events with no overlap
 Who Is Daniel Dong Hyun Park?
Social Media, Media, and Public
Domain Research
• Daniel is the son of Mr. Park, shareholder
of AFR Mining
• Mr. Park commenced legal action in 2014
against AFR Mining
• The coal mine that AFR Mining bought was
owned by Kim
• Daniel also named as a shareholder of AFR
Mining at one point
• Whistleblowers acted on Daniel’s behalf
 Introduction to Open Source Intelligence
(OSINT) and Public Domain Tips and Tools

Diana Ngo
Associate Director, Blackpeak