SKILL: OSINT Methodology

Metadata

• Skill Name: osint-methodology
• Folder: offensive-osint-methodology
• Source: https://github.com/SnailSploit/offensive-checklist/blob/main/osint-method.md

Description

Structured OSINT methodology framework: target definition, source selection, collection workflows, data correlation, timeline reconstruction, and reporting. Use to guide systematic OSINT campaigns or teach OSINT methodology.

Trigger Phrases

Use this skill when the conversation involves any of: OSINT methodology, open source intelligence, target profiling, data correlation, OSINT workflow, intelligence collection, OSINT campaign, recon methodology

Instructions for Claude

When this skill is active:

1. Load and apply the full methodology below as your operational checklist
2. Follow steps in order unless the user specifies otherwise
3. For each technique, consider applicability to the current target/context
4. Track which checklist items have been completed
5. Suggest next steps based on findings

Full Methodology

OSINT Methodology

OpSec

Create a Sock Puppet

• Fake account that cannot be linked to you
• Build a posting history (post stuff, etc.)
• Resources
  • Effective Sock Puppets
  • Ultimate Guide to Sock Puppets
  • Fake Name Generator
  • This Person does not Exist
  • Use separate browser profiles or isolation tools (e.g., Firefox Multi‑Account Containers) for any sock‑puppet activity.
  • Acquire disposable VoIP/SMS numbers (e.g., Burner, Silent Link) to satisfy platform verification without exposing real phone numbers.
  • Audit every browser extension before installation; supply‑chain attacks on popular add‑ons have targeted investigators since 2024.
  • Use dedicated browser profiles/containers per case and persona; avoid logging into personal accounts.
  • Prefer hardware‑backed passkeys for critical accounts; store recovery codes offline.
  • Maintain a minimal chain‑of‑custody: timestamp actions, hash key artifacts, and record tool versions per case.

Cryptocurrency Investigation

Transaction Analysis

• Track transaction flows between wallets
• Identify clusters of related addresses
• Monitor large transfers and whale activity
• Use block explorers to trace fund movements
• Tools:
  • Cielo: Multi-chain wallet tracking (EVM, Bitcoin, Solana, Tron)
  • TRM: Create relationship graphs for addresses/transactions
  • Arkham: Multichain explorer with entity labels, graph creation, and alerts
  • MetaSleuth: Transaction visualization for retail users
  • Range: CCTP bridge explorer
  • Socketscan: EVM bridge explorer
  • Pulsy: Bridge explorer aggregator
  • Chainalysis: Horizon 2.0 cross‑chain tracing suite (paid)
  • Elliptic: Lens visual link explorer (launched Dec 2024)
  • Most compliance suites now provide real‑time bridge‑risk scoring dashboards (e.g., TRM, Chainalysis)

Layer 2 / Rollup Analysis

• zkSync Era / Polygon zkEVM: Zero-knowledge proofs hide transaction details on L2; only deposit/withdrawal bridge events visible on L1. Use zkSync Era Block Explorer and PolygonScan zkEVM.
• Arbitrum / Optimism: Transactions batched and compressed; L2 state reconstructed from L1 calldata. Use Arbiscan and Optimistic Etherscan. Check L2Beat for risk framework and technology stack.
• StarkNet: Cairo VM with STARK proofs; different address derivation. Use Voyager or StarkScan.
• Base / Blast / Scroll: OP Stack or ZK-rollups; similar challenges to above.
• Privacy protocols on L2:
  • Aztec Network: Programmable privacy with noir circuits; limited block explorer visibility.
  • Railgun: Privacy system for DeFi on Ethereum/Polygon/BSC; shielded pools obscure sender/receiver/amount.
  • Privacy Pools: Proposed Tornado Cash successor with association sets; not yet deployed at scale.
• Challenges:
  • Bridge mixers (Hop Protocol, Across, Stargate) create synthetic liquidity pools that break direct tracing; funds enter/exit via pool swaps.
  • Cross-rollup transfers further obfuscate trails; requires tracking via bridge contracts and relayer infrastructure.
  • Many L2s lack mature analytics tools; explorers show transactions but relationship graphs are sparse.
• Methodology:
  • Start with L1 bridge events (deposits/withdrawals); these anchor L2 activity to known addresses.
  • Use L2-specific explorers to trace activity within the rollup.
  • For privacy protocols, focus on timing analysis, deposit/withdrawal clustering, and off-chain metadata (transaction memos, Tornado Cash-style notes).

Cautions (bridges and heuristics)

• Bridges/mixers/wrappers introduce mint/burn semantics; avoid assuming 1:1 flows without on‑chain proofs.
• MEV/sandwich and aggregator paths can create false "direct" trails; validate with multiple datasets.
• Cross‑label sanity: vendor labels can disagree; treat labels as hypotheses, not ground truth.
• L2 finality: Optimistic rollups have 7-day challenge periods; zkRollups finalize faster but proofs can be batched/delayed.

Wallet Profiling

• Analyze wallet age and activity patterns
• Check for connections to known entities
• Monitor balance changes over time
• Identify associated exchange accounts

Exchange Investigation

• Track deposits/withdrawals
• Monitor trading patterns
• Identify linked accounts
• Check for regulatory compliance

NFT Investigation

• Track ownership history
• Monitor sales and transfers
• Analyze metadata and hidden content
• Identify connected wallets and marketplaces

Image Analysis

• Contextual Analysis
  • Use multiple reverse image search engines to find matches or similar images:
    • Google Images / Google Lens (note: Google Lens now requires authentication for some features; use incognito/sock-puppet account)
    • Yandex Images
    • Bing Image Match
    • TinEye
    • Copyseeker AI‑based reverse‑image search engine
    • Perplexity Pro with image upload: AI-powered contextual analysis and web search
  • Use browser extensions for quick searches:
    • RevEye Reverse Image Search
    • Search by Image (multi-engine support)
  • Change search terms and time to narrow down the possible results
  • You can leverage FakeNews Debunker Extension as well
  • Picarta might help with geolocation as well
  • Check for embedded metadata (EXIF data) that may contain geolocation or device information:
    • ExifTool
    • Jeffrey's Image Metadata Viewer
    • EXIF Viewer Pro
• Foreground
  • Signs, license plates, clothing styles, vegetation, and weather conditions.
• Background
  • Landmarks, unique buildings, mountains, bodies of water, and infrastructure.
• Map Markings
  • Flora and fauna types, which can indicate geographic regions.
  • Seasonal indicators like snow, foliage, or daylight hours.
• Trial and Error