Quick reference guide to terminology used in OSINT investigations.
A
Alias An alternative name or username used by a subject. Example: “John Smith” may also use “jsmith123” online.
Attribution The process of identifying who is responsible for an action, post, or activity. Determining the real person behind a username.
Artifact Any piece of digital evidence collected during an investigation (screenshot, document, file, etc.).
B
Blockchain A distributed digital ledger technology used for cryptocurrencies. All transactions are public and permanent, making it useful for financial investigations.
Bot Account An automated social media account (not controlled by a human). Often used to artificially inflate follower counts or spread spam.
Breach Data Leaked databases from security breaches containing usernames, passwords, and personal information. Check via HaveIBeenPwned.
Burner Account A temporary, disposable account created for a specific purpose and then abandoned.
C
CDN (Content Delivery Network) A service (like Cloudflare) that distributes website content globally. Often hides the true origin server IP address.
Certificate Transparency (CT) Public logs of SSL/TLS certificates. Useful for discovering subdomains and tracking domain ownership.
Chain of Custody Documented record of who handled evidence, when, and how. Critical for legal admissibility.
CNAME Record DNS record that creates an alias from one domain to another. Example: www.example.com → example.com
Collection Log A systematic record of all evidence gathered during an investigation, including source, date, time, and hash values.
Confidence Level Assessment of how certain you are about a finding (Low, Medium, High). Based on source quality and verification.
Correlation The process of connecting information from multiple sources to verify facts or identify patterns.
Cryptocurrency Wallet A digital address for sending/receiving cryptocurrency. Public addresses are visible on the blockchain.
CSAM (Child Sexual Abuse Material) Illegal content involving minors. MUST be immediately reported to authorities (NCMEC CyberTipline in US).
D
DMARC (Domain-based Message Authentication) Email authentication protocol that helps prevent email spoofing and phishing.
DNS (Domain Name System) The system that translates domain names (example.com) to IP addresses (192.0.2.1).
Dossier A comprehensive profile of a person or organization compiled from multiple sources.
Doxxing The act of publicly revealing someone’s private personal information without consent. ILLEGAL and UNETHICAL.
E
Entity A person, organization, domain, or asset being investigated.
Evidence Hash A SHA-256 cryptographic hash that proves a file hasn’t been modified. Used to verify evidence integrity.
EXIF Data Metadata embedded in images, including camera model, GPS coordinates, and timestamps. Can be extracted with ExifTool.
F
Footprint (Digital) All online traces left by a person or organization (accounts, posts, images, domains, etc.).
Forensic Copy An exact bit-by-bit copy of digital evidence, preserving all metadata and deleted files.
G
Geolocation Determining the physical location of a person, device, or server based on IP address, GPS data, or other indicators.
GDPR (General Data Protection Regulation) European privacy law governing how personal data must be handled. Applies to EU citizens’ data globally.
GitHub Code hosting platform where developers share projects. Useful for tracking technical skills and collaborations.
H
Hash (File Hash) A unique fingerprint of a file generated by a cryptographic algorithm (SHA-256). If the file changes, the hash changes.
HIBP (HaveIBeenPwned) Website (haveibeenpwned.com) that tracks data breaches and lets you check if an email was compromised.
HTTP Headers Information sent by web servers including server software, security policies, and technologies used.
I
IC3 (Internet Crime Complaint Center) FBI’s online portal for reporting internet crimes (ic3.gov).
Indicator of Compromise (IOC) Evidence suggesting malicious activity (malware signature, suspicious IP, phishing domain).
Intelligence Gap Information you need but don’t have. Documenting gaps helps guide further investigation.
J
JSON (JavaScript Object Notation) A common data format used for storing and transferring information (often in API responses).
K
KYC (Know Your Customer) Identity verification process used by financial institutions and cryptocurrency exchanges.
L
Laundering (Money/Crypto) The process of concealing the origins of illegally obtained money or cryptocurrency.
Leak (Data Leak) Unauthorized disclosure of private information (passwords, personal data, documents).
Link Analysis Mapping relationships between entities (people, organizations, accounts) to understand networks.
M
Metadata Data about data. For images: camera info, GPS location, timestamps. For documents: author, creation date, edit history.
Mixer (Cryptocurrency Mixer) Service that obscures cryptocurrency transaction history by pooling funds (e.g., Tornado Cash).
MX Record DNS record specifying mail servers for a domain. Useful for understanding email infrastructure.
N
Name Server (NS) DNS servers responsible for a domain. Often reveals who manages the domain (Cloudflare, AWS, etc.).
NCMEC (National Center for Missing & Exploited Children) US organization that operates CyberTipline for reporting CSAM (CyberTipline.org).
O
OPSEC (Operational Security) Practices to protect yourself while investigating (using VPNs, not using personal accounts, avoiding attribution).
OSINT (Open Source Intelligence) Intelligence gathered from publicly available sources (social media, websites, public records).
P
Passive Reconnaissance Gathering information without directly interacting with the target (no probing, no account access).
PGP Key Encryption key used for secure communications. Sometimes listed on profiles, useful for identity verification.
Phishing Fraudulent attempt to steal credentials or information by impersonating a legitimate entity.
PII (Personally Identifiable Information) Data that can identify an individual (name, address, SSN, email, phone). Must be protected per privacy laws.
Pivot Using one piece of information to find related data. Example: Email → WHOIS → other domains registered by same email.
Platform A social media service or online service (Twitter, LinkedIn, Reddit, etc.).
Q
Query A search or database lookup (DNS query, WHOIS query, database query).
R
Registrar Company where a domain is registered (Namecheap, GoDaddy, etc.).
Reputation Check Verifying if a domain, IP, or file is known to be malicious using threat intelligence databases.
Reverse Image Search Searching for an image to find where else it appears online (Google Images, TinEye, Yandex).
Reverse IP Lookup Finding other domains hosted on the same IP address (reveals shared hosting).
S
SAN (Subject Alternative Name) Additional domains listed on an SSL certificate. Useful for discovering related domains.
Scraping Automated extraction of data from websites. Often violates Terms of Service.
SHA-256 Cryptographic hash algorithm that produces a 256-bit fingerprint of a file. Standard for evidence hashing.
SIEM (Security Information and Event Management) System for collecting and analyzing security logs from multiple sources.
SOCMINT (Social Media Intelligence) Intelligence gathered specifically from social media platforms.
SOP (Standard Operating Procedure) Step-by-step instructions for performing a specific task consistently and correctly.
SPF (Sender Policy Framework) Email authentication method that specifies which mail servers can send email for a domain.
Subject The person, organization, or entity being investigated.
Subdomain A subdivision of a domain. Example: blog.example.com is a subdomain of example.com.
T
Threat Actor An individual or group conducting malicious cyber activities.
Threat Intelligence Information about current cyber threats, malware, phishing campaigns, etc.
Timeline Chronological sequence of events reconstructed from digital evidence.
TLD (Top-Level Domain) The last part of a domain name (.com, .org, .uk, .edu, etc.).
Tor (The Onion Router) Anonymity network that obscures user IP addresses. Often used by threat actors to hide identity.
ToS (Terms of Service) Rules governing use of a platform or service. Violating ToS can invalidate evidence or create legal issues.
TTL (Time to Live) How long DNS records are cached. Short TTL may indicate frequent changes (suspicious).
U
URL (Uniform Resource Locator) Web address (https://example.com/page).
Username Enumeration Searching for a username across multiple platforms to identify all accounts belonging to a subject.
V
Verification Confirming information is accurate through multiple independent sources.
VPN (Virtual Private Network) Service that masks your IP address by routing traffic through a remote server. Essential for OPSEC.
W
Wallet (Cryptocurrency) Digital address for storing and transacting cryptocurrency. Public addresses are traceable on blockchain.
WARC (Web ARChive) File format for archiving web pages, preserving full HTML and resources for evidence.
Wayback Machine Internet Archive service (archive.org) that stores historical snapshots of websites.
WHOIS Public database of domain registration information (registrant, creation date, name servers).
X
X (Twitter) Social media platform formerly known as Twitter. Rebranded to X in 2023.
Y
Yandex Russian search engine. Often useful for reverse image searches, especially for images from Eastern Europe.
Z
Zero-Day Previously unknown software vulnerability. Relevant when investigating compromised systems.
Acronyms Quick Reference
| Acronym | Meaning |
|---|---|
| AML | Anti-Money Laundering |
| ARIN | American Registry for Internet Numbers |
| API | Application Programming Interface |
| CA | Certificate Authority |
| CCPA | California Consumer Privacy Act |
| CDN | Content Delivery Network |
| CEH | Certified Ethical Hacker |
| CNAME | Canonical Name (DNS record) |
| CSAM | Child Sexual Abuse Material |
| CT | Certificate Transparency |
| CVE | Common Vulnerabilities and Exposures |
| DDoS | Distributed Denial of Service |
| DKIM | DomainKeys Identified Mail |
| DMARC | Domain-based Message Authentication, Reporting & Conformance |
| DNS | Domain Name System |
| DV | Domain Validated (SSL certificate) |
| EV | Extended Validation (SSL certificate) |
| EXIF | Exchangeable Image File Format |
| GDPR | General Data Protection Regulation |
| HIBP | Have I Been Pwned |
| HTML | HyperText Markup Language |
| HTTP/HTTPS | HyperText Transfer Protocol (Secure) |
| IANA | Internet Assigned Numbers Authority |
| IC3 | Internet Crime Complaint Center |
| ICANN | Internet Corporation for Assigned Names and Numbers |
| IoC | Indicator of Compromise |
| IP | Internet Protocol |
| ISP | Internet Service Provider |
| JSON | JavaScript Object Notation |
| KYC | Know Your Customer |
| LE | Law Enforcement |
| LEO | Law Enforcement Officer |
| MFA | Multi-Factor Authentication |
| MX | Mail Exchange (DNS record) |
| NCMEC | National Center for Missing & Exploited Children |
| NS | Name Server |
| OPSEC | Operational Security |
| OSINT | Open Source Intelligence |
| OV | Organization Validated (SSL certificate) |
| PGP | Pretty Good Privacy |
| PII | Personally Identifiable Information |
| SAN | Subject Alternative Name |
| SIEM | Security Information and Event Management |
| SOCMINT | Social Media Intelligence |
| SOP | Standard Operating Procedure |
| SPF | Sender Policy Framework |
| SQL | Structured Query Language |
| SSL/TLS | Secure Sockets Layer / Transport Layer Security |
| TLD | Top-Level Domain |
| Tor | The Onion Router |
| ToS | Terms of Service |
| TTL | Time to Live |
| TTP | Tactics, Techniques, and Procedures |
| URL | Uniform Resource Locator |
| VPN | Virtual Private Network |
| WARC | Web ARChive |
| WHOIS | Who Is (domain registration database) |
Investigation-Specific Terms
Active Investigation A case currently being worked on (status: 🟢 Active).
Closed Investigation A completed case (status: 🔴 Closed).
Example Case Training material using fictional data (status: 📚 Example).
On Hold Investigation A case paused pending additional information (status: 🟡 On Hold).
Authorization Written permission to conduct an investigation. REQUIRED before starting any case.
Scope The boundaries of what you’re authorized to investigate (platforms, subjects, timeframes).
Out of Scope Actions or targets NOT authorized. Investigating out-of-scope is illegal/unethical.
Escalation Referring a case to higher authority (law enforcement, supervisor) when serious crimes are discovered.
Red Flag Warning sign indicating potential risk, illegal activity, or ethical concern.
Intelligence Product Final deliverable from investigation (report, dossier, evidence package, briefing).
Platform-Specific Terms
Twitter/X
- Handle: Username (@username)
- Tweet: Post on Twitter/X
- Retweet: Sharing someone else’s tweet
- Quote Tweet: Retweet with added comment
- Thread: Series of connected tweets
- Verified Badge: Blue checkmark (paid subscription as of 2023)
- Connection: Mutual professional relationship
- 1st Degree: Direct connection
- 2nd Degree: Connection of a connection
- InMail: Private message (premium feature)
GitHub
- Repository (Repo): Project folder containing code
- Commit: Saved change to code
- Fork: Personal copy of someone else’s repo
- Star: Bookmark/like for a repo
- Pull Request: Proposed code change
- Subreddit: Community focused on specific topic (r/example)
- Karma: Points earned from upvotes
- OP: Original Poster
- Throwaway: Temporary account for anonymous posting
Legal & Ethical Terms
Authorized Access Permission to access a system, account, or information. Accessing without authorization is illegal (CFAA).
CFAA (Computer Fraud and Abuse Act) US federal law prohibiting unauthorized computer access. Violators face criminal charges.
Disclosure Sharing investigation findings with authorized parties (client, law enforcement, platforms).
Ethical Boundaries Limits on what is morally acceptable in investigations, even if technically legal.
Legal Admissibility Whether evidence can be used in court. Requires proper collection, chain of custody, and legality.
Subpoena Legal order requiring production of evidence. Only law enforcement/courts can issue.
Warrant Court order authorizing law enforcement to search, seize, or surveil. Required for most invasive actions.
Best Practices Terminology
Defense in Depth Multiple layers of security/verification to protect investigation integrity.
Need to Know Principle of only sharing case information with those who require it for their role.
Principle of Least Privilege Granting minimum access necessary to perform investigation tasks.
Verify, Don’t Trust Always confirm information from multiple sources; never rely on single-source intelligence.
Document Everything Core principle: If it’s not documented, it didn’t happen. Essential for evidence and accountability.
Questions?
If you encounter a term not in this glossary:
- Check the relevant SOP (may be defined there)
- Search online (OSINT Framework, Bellingcat guides)
- Ask your instructor/supervisor
- Suggest addition to this glossary
Glossary Version: 1.0 Last Updated: 2025-10-12 Maintainer: gl0bal01 Contribute: Suggest terms to add via instructor/repository