Intro to OSINT: Zero on the way to Hero

Joe Gray

OSINT can be ones worst enemy or best friend, depending on what angle the person is looking at it from. This introduction level workshop will start out discussing the basis of OSINT then transition into applicable use case scenarios. Once we have a sound foundation in OSINT, we’ll start to work on some collection considerations and techniques.

In terms of tools used in this presentation, the list is somewhat fluid based upon the advancement of other tools, social media platforms, or other variables. Tools intended to be highlighted are:,, Buscador Linux, Recon-ng, Datasploit, APIs (Twitter and possibly Facebook; maybe others), haveibeenpwned., whois, persona generator, and others.

Depending on your position, this talk with either arm you with the right tools to build better OSINT engagements, whether for phishing or other investigations or educate you on steps you can take to better secure yourself.

Detailed talk outline : Hour 1


What is Open Source Intelligence (OSINT)?

Outlets/Sources Starts by giving definition of OSINT and introduces Michael Bazzell. This moves on into places to gather and discusses software like Datasploit and Recon-ng (demonstrated later) as sources per se.

Methods This discusses things on the internet: job boards, forums, Google, Intel Techniques and OSINT Framework (demonstrated later) as well as other outlets. From here we discuss automation in terms of tools, prextexting, and search parameters.

Aims and goals Simply put, is to gather as much information about our target as we can. I talk about timing for the purpose of explanation. We look at some examples of easy wins and start the integration.

Basis of OSINT

Info sources This discusses the similarities in the information gathering.

Uses of collected data (generalization) Here, I talk about making the OSINT actionable via contact with the target and having better context. Other goodies to be discovered is also discussed.

Collecting OSINT

That first tidbit of data I explain that most OSINT starts with something minor: a name, phone number, email address, user name, physical address, meta data. I talk about “harmless surveys”

Unwinding the web From here, I show what comes next with the tidbit and the snowball effect. I talk about the correlation of information and the ease in building a profile on you.

Rinse and Repeat Several rounds may be required. You may find something interesting towards the end that causes you to look at everything again from a different angle.

Integrations to/from OSINT

Applying the OSINT for SE Attacks

Dr. Cialdini’s 6 Principles of Persuasion I reiterate the 6 principles and provide more in-depth analysis of the application of them based on collected OSINT. The next step is applying the principles to each type of attack:



Social Media

Pretexting and impersonation

knowledge. This is not placing the burden on them, but empowering them to contribute from the trenches.


Using tools like OnionScan to pinpoint correlations in onion sites to regular sites to identify the sources of malware


Use by Law Enforcement or other entities to find information about a target

Marketing and Sales

How these entities leverage OSINT data to better market and sell to you


Show how to dig for more tidbits This will include using OSINTFramework more thoroughly than in the talk. I will demonstrate some of the capabilities in searching for user names, reverse phone searches, address searching, and Social Media mapping for sentiment.

Break (50:00)

Hour 2

OSINT on a car back windshield


Show how to do more mass scanning for various data using the IntelTechniques Tools This will include using IntelTechniques more thoroughly than in the talk. I will demonstrate some of the capabilities in searching for user names, reverse image searches, reverse video searches, YouTube, Pastebins, Satellite Views, and Social Traffic.

I will discuss Michael Bazzell’s books, blog, and podcast as a reference point.

Collection Considerations

End Game



Protecting the data

Demo of tools


Joe Gray (@C_3PJoe) joined the U.S. Navy directly out of High School and served for 7 years as a Submarine Navigation Electronics Technician. Joe is an Enterprise Security Consultant at Sword & Shield Enterprise Security in Knoxville, TN. Joe also maintains his own Blog and Podcast called Advanced Persistent Security. In his spare time, Joe enjoys reading news relevant to information security, attending information security conferences, contributing blogs to various outlets, bass fishing, and flying his drone. He is currently progressing his DFIR skills through Data Carving and Malware Analysis and Reverse Engineering.

I have spoken/presented at the following (All 2017):, BSides Hunstville (Last minute alternate), (ISC)² Atlanta, BSides Indy, (ISC)² Middle TN, Infosec Southwest , BSides Nashville, BSides Charm (Baltimore), BSides Knoxville, BSides Cincy, Dc865 (Knoxville TN Defcon chapter).

Here are some links to my talks:

Quick Info

Venue for DEF CON 27:
Talks: Celebrity 5
InfoBooth and CTF: Contest Area
Planet Hollywood
Las Vegas.

Got a question?
DM @reconvillage or Drop an email to

Whats going on?

Site was started with Mobirise web themes