Visual guide to the investigation process from start to finish.
π Investigation Lifecycle Overview
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β OSINT INVESTIGATION WORKFLOW β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Phase 1: PREPARATION (1-2 hours)
β
Phase 2: AUTHORIZATION & SCOPING (30 min - 2 hours)
β
Phase 3: COLLECTION (Hours to Weeks)
β
Phase 4: ANALYSIS & CORRELATION (Hours to Weeks)
β
Phase 5: REPORTING (1-5 hours)
β
Phase 6: CLOSURE & ARCHIVAL (1-2 hours)
Phase 1: Preparation π―
Duration: 1-2 hours (first time), 30 minutes (experienced)
Checklist:
βββββββββββββββββββββββββββββββββββββββ
β PREPARATION PHASE β
βββββββββββββββββββββββββββββββββββββββ€
β [ ] Read Legal & Ethics SOP β
β [ ] Review OPSEC Planning SOP β
β [ ] Set up isolated environment β
β ββ VPN/Tor configured β
β ββ Burner browser profile β
β ββ- Encrypted storage ready β
β ββ- Screenshot tool ready β
β [ ] Prepare folder structure β
β [ ] Review relevant platform SOPs β
β [ ] Understand case requirements β
βββββββββββββββββββββββββββββββββββββββ
Setup Your Investigation Environment:
Tools Needed:
- VPN or Tor Browser (OPSEC)
- Screenshot tool (Flameshot, Greenshot, built-in)
- Hashing tool (sha256sum, CertUtil on Windows)
- Text editor for notes (Obsidian, Notepad++, VS Code)
- Evidence storage (encrypted volume)
Folder Structure to Create:
YYYY-NNN-Case-Name/
βββ 00-Case-Overview.md
βββ 01-Subject-Profiles.md
βββ 02-Collection-Log.md
βββ 03-Evidence/
β βββ screenshots/
β βββ documents/
β βββ domains/
β βββ social-media/
βββ 04-Reports/
βββ 05-Admin/
βββ authorization.pdf
βββ case-notes.md
Phase 2: Authorization & Scoping π
Duration: 30 minutes - 2 hours
Workflow:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AUTHORIZATION & SCOPING PHASE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β 1. Receive Investigation Request β
β β β
β 2. Review for Legal/Ethical Issues β
β β β
β 3. Obtain Written Authorization βββββββ β
β β β β
β 4. Define Scope (In/Out of Scope) βββββ€ If unclear, β
β β β clarify with β
β 5. Identify Platforms & Techniques βββββ€ requestor β
β β β β
β 6. Set Objectives (3-5 clear goals) ββββ β
β β β
β 7. Document Everything in 00-Case-Overview.md β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Key Questions to Answer:
Authorization:
- β Do I have written authorization?
- β Who authorized this investigation?
- β What is the legal basis for this investigation?
Scope:
- β What am I authorized to investigate? (Platforms, subjects, timeframes)
- β What is explicitly OUT of scope?
- β οΈ What requires additional authorization?
Objectives:
- What are the 3-5 primary goals?
- What does success look like?
- What deliverables are expected?
Red Flags - STOP If:
- β No written authorization
- β Request involves illegal activity (hacking, unauthorized access)
- β Investigating friends/family without proper authorization
- β Scope is vague or unlimited
- β Requestor asks you to violate ToS/laws
Phase 3: Collection πΈ
Duration: Varies (hours to weeks depending on scope)
Collection Workflow:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β COLLECTION PHASE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β FOR EACH PIECE OF EVIDENCE: β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€ β
β β 1. Capture Evidence β β
β β ββ Screenshot (with timestamp visible) β β
β β ββ Save HTML/source (if applicable) β β
β β ββ Save WHOIS/DNS output β β
β β ββ Download files (if relevant) β β
β β β β β
β β 2. Calculate SHA-256 Hash β β
β β ββ sha256sum filename.png β β
β β β β β
β β 3. Log in Collection Log (02-Collection-Log.md) β β
β β ββ Evidence ID (E001, E002...) β β
β β ββ Date/Time collected β β
β β ββ Source URL β β
β β ββ SHA-256 hash β β
β β ββ Description β β
β β ββ Collector name β β
β β β β β
β β 4. Organize in Evidence Folder β β
β β ββ 03-Evidence/[category]/filename.png β β
β β β β β
β β 5. Add Notes to Case Notes β β
β β ββ 05-Admin/case-notes.md β β
β β β β β
β β REPEAT for next piece of evidence β β
β ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Evidence Collection Best Practices:
β DO:
- Screenshot with browser URL bar visible
- Include timestamps in filenames (YYYY-MM-DD format)
- Hash immediately after capture
- Log before moving to next item
- Save multiple formats (screenshot + HTML)
- Verify evidence integrity regularly
β DONβT:
- Edit or modify evidence
- Delete original files
- Skip hashing
- Delay logging (do it immediately)
- Forget to document source URLs
- Take screenshots with personal account visible
Platform-Specific Collection:
Social Media (Twitter, LinkedIn, etc.):
1. Profile page (full view)
2. Bio/About section
3. Profile picture (close-up)
4. Recent posts (5-10 screenshots)
5. Follower/Following counts
6. Account creation date (if visible)
7. Links in bio
Domains (WHOIS/DNS):
1. WHOIS raw output β save to .txt
2. DNS A, MX, TXT, NS records β save to .txt
3. SSL certificate details β screenshot
4. Certificate Transparency logs β screenshot
5. Historical WHOIS β screenshot
Blockchain:
1. Wallet address transactions β screenshot
2. Transaction hashes β save to .txt
3. Blockchain explorer URL β log
4. Transaction graph/visualization β screenshot
Phase 4: Analysis & Correlation π
Duration: Varies (hours to weeks depending on complexity)
Analysis Workflow:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β ANALYSIS PHASE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β STEP 1: Entity Profiling β
β ββ Build comprehensive subject profile (01-Subject-Profiles) β
β ββ Document all identifiers (usernames, emails, etc.) β
β ββ Map digital footprint across platforms β
β ββ Assess confidence for each data point β
β β β
β STEP 2: Cross-Platform Correlation β
β ββ Verify information across multiple sources β
β ββ Identify consistencies and discrepancies β
β ββ Create correlation matrix β
β ββ Flag contradictions for further investigation β
β β β
β STEP 3: Timeline Reconstruction β
β ββ Extract all dated events from evidence β
β ββ Sort chronologically β
β ββ Identify patterns and anomalies β
β ββ Assess significance of each event β
β β β
β STEP 4: Pattern Analysis β
β ββ Activity patterns (when, where, how often) β
β ββ Content themes and topics β
β ββ Behavioral indicators β
β ββ Network/relationship mapping β
β β β
β STEP 5: Risk Assessment β
β ββ Identify threat indicators β
β ββ Assess overall risk level (Low/Medium/High/Critical) β
β ββ Document intelligence gaps β
β ββ Recommend next steps β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Confidence Assessment Framework:
| Confidence Level | Criteria | Example |
|---|---|---|
| High | Verified across 3+ independent sources | Email found in WHOIS, GitHub profile, and LinkedIn |
| Medium | Verified across 2 sources | Username on Twitter and Reddit with matching profile pics |
| Low | Single source, unverified | Claim made in one tweet, no other evidence |
Analysis Outputs:
-
Subject Profile (01-Subject-Profiles.md)
- Identity overview
- Digital footprint summary
- Behavioral analysis
- Attribution assessment
-
Timeline (in 00-Case-Overview.md)
- Chronological event list
- Source citations
- Significance ratings
-
Risk Assessment (in 00-Case-Overview.md)
- Overall risk level
- Threat indicators
- Intelligence gaps
- Recommendations
Phase 5: Reporting π
Duration: 1-5 hours depending on complexity
Reporting Workflow:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β REPORTING PHASE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β STEP 1: Executive Summary β
β ββ Who, what, when, where, why (1-2 paragraphs) β
β ββ Key findings (top 3-5) β
β ββ Risk level assessment β
β ββ High-level recommendations β
β β β
β STEP 2: Detailed Findings β
β ββ Each finding with supporting evidence β
β ββ Evidence references (E001, E002, etc.) β
β ββ Confidence ratings β
β ββ Analysis and interpretation β
β β β
β STEP 3: Methodology Section β
β ββ Platforms investigated β
β ββ Tools used β
β ββ SOPs followed β
β ββ Limitations acknowledged β
β β β
β STEP 4: Recommendations β
β ββ Immediate actions β
β ββ Long-term recommendations β
β ββ Escalation needs (LE referral, platform reporting) β
β ββ Follow-up investigation needs β
β β β
β STEP 5: Evidence Package β
β ββ Organize all evidence files β
β ββ Include evidence manifest (list with hashes) β
β ββ Add chain of custody documentation β
β ββ Create final ZIP/archive β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Report Structure:
Final Report Format (04-Reports/final-report.md):
# Investigation Report: [Case Name]
## Executive Summary
[1-2 paragraphs: who, what, findings, risk level]
## Case Information
- Case ID: YYYY-NNN
- Investigator: [Name]
- Date Range: [Start - End]
- Authorization: [Reference]
## Objectives
1. [Objective 1]
2. [Objective 2]
3. [Objective 3]
## Methodology
- Platforms: [List]
- Tools: [List]
- SOPs: [List]
- Limitations: [Describe]
## Key Findings
### Finding 1: [Title]
- **Description:** [What you found]
- **Evidence:** E001, E005, E012
- **Confidence:** High
- **Significance:** [Why it matters]
### Finding 2: [Title]
[Repeat structure]
## Timeline of Events
[Chronological table or list]
## Risk Assessment
- **Overall Risk:** Medium
- **Risk Factors:** [List]
- **Mitigation:** [Recommendations]
## Intelligence Gaps
- [Gap 1]
- [Gap 2]
## Recommendations
1. [Recommendation 1]
2. [Recommendation 2]
## Conclusion
[Final summary paragraph]
---
**Appendices:**
- Appendix A: Evidence Log
- Appendix B: Subject Profiles
- Appendix C: Technical DetailsPhase 6: Closure & Archival π¦
Duration: 1-2 hours
Closure Checklist:
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β CLOSURE & ARCHIVAL PHASE β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β β
β [ ] Complete Case Completion Checklist β
β ββ See: Case-Template/Case-Completion-Checklist.md β
β β
β [ ] Verify Evidence Integrity β
β ββ Re-hash all files β
β ββ Compare to original hashes β
β ββ Document any discrepancies β
β β
β [ ] Finalize Documentation β
β ββ Proofread all reports β
β ββ Verify all links work β
β ββ Update date stamps β
β ββ Add final status to case files β
β β
β [ ] Package Evidence β
β ββ Create evidence manifest β
β ββ Include chain of custody β
β ββ Add hash file (all hashes in one .txt) β
β ββ Create archive (ZIP/7z with encryption) β
β β
β [ ] Submit Deliverables β
β ββ Final report β
β ββ Evidence package β
β ββ Executive summary (if requested) β
β ββ Any required referrals (LE, platforms) β
β β
β [ ] Secure Storage β
β ββ Archive case files β
β ββ Store in encrypted location β
β ββ Document retention policy β
β ββ Restrict access (need-to-know) β
β β
β [ ] Debrief & Lessons Learned β
β ββ What went well? β
β ββ What could be improved? β
β ββ New techniques learned? β
β ββ Document for future reference β
β β
β [ ] Update Case Status β
β ββ Mark as π΄ Closed in README.md β
β β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
Decision Trees
Should I Investigate This?
Investigation Request Received
β
Is there written authorization?
β β
YES NO β STOP - Get authorization first
β
Is request legal and ethical?
β β
YES NO β STOP - Decline request
β
Is scope clearly defined?
β β
YES NO β Clarify scope with requestor
β
Do I have skills/tools needed?
β β
YES NO β Seek training or refer to specialist
β
PROCEED with investigation
What If I Find Illegal Content?
Encountered Illegal Content
β
What type of content?
β
ββββββββββββββββββ΄βββββββββββββββββ
β β
CSAM/CSEM Other Serious Crime
(Child Abuse Material) (Violence, Threats, etc.)
β β
1. STOP collection immediately 1. Stop and document
2. Do NOT save/download 2. Take single screenshot (if safe)
3. Report to NCMEC CyberTipline 3. Report to law enforcement
(CyberTipline.org) (IC3.gov or local LE)
4. Report to platform 4. Report to platform
5. Notify supervisor 5. Notify supervisor
6. Document incident 6. Continue investigation per LE guidance
Should I Escalate This Case?
Evidence of Criminal Activity?
β
βββββββββββββββ΄ββββββββββββββ
β β
YES NO
β β
How serious is the crime? Continue investigation
β per normal procedures
βββββββββββββ΄ββββββββββββ
β β
Serious/Violent Non-Violent
(Murder, Terrorism, (Fraud, ToS violation,
CSAM, etc.) Impersonation)
β β
IMMEDIATE escalation Document and report at
to law enforcement case completion
(Call, don't wait) (IC3, platform reporting)
Time Management
Typical Investigation Timeline (Beginner Case)
Week 1:
ββ Day 1: Setup & Authorization (2 hours)
ββ Day 2-3: Collection Phase (4-6 hours)
ββ Day 4-5: More collection (4-6 hours)
Week 2:
ββ Day 1-2: Analysis & Correlation (6-8 hours)
ββ Day 3-4: Timeline reconstruction (4-6 hours)
ββ Day 5: Begin reporting (2-3 hours)
Week 3:
ββ Day 1-2: Complete report (4-6 hours)
ββ Day 3: Review and quality check (2 hours)
ββ Day 4: Closure and submission (2 hours)
Total: 30-45 hours over 3 weeks (part-time)
Common Pitfalls & How to Avoid Them
| Pitfall | Impact | Prevention |
|---|---|---|
| No authorization | Legal liability | Always get written authorization first |
| Poor OPSEC | Tipped off subject | Use VPN, burner accounts, donβt interact |
| Skipping documentation | Inadmissible evidence | Log as you go, donβt rely on memory |
| Single-source verification | False conclusions | Always cross-reference 2-3 sources |
| Scope creep | Wasted time, legal issues | Stick to defined scope, get approval for changes |
| Evidence tampering | Invalidated case | Never edit, only view. Hash immediately |
| Delayed escalation | Victims harmed | Report serious crimes immediately |
| Burned out | Poor quality work | Take breaks, set realistic timelines |
Quick Reference: Investigation Checklist
Pre-Investigation:
- Authorization obtained
- Scope defined
- Environment set up
- SOPs reviewed
During Investigation:
- Evidence logged immediately
- All files hashed
- OPSEC maintained
- Regular backups
Post-Investigation:
- All objectives met
- Report completed
- Evidence packaged
- Case closed properly
Related Resources
- Legal & Ethics SOP
- OPSEC Planning SOP
- Collection Logging SOP
- Reporting & Disclosure SOP
- Case Completion Checklist
- Glossary
Document Version: 1.0 Last Updated: 2025-10-12 Maintainer: gl0bal01