An introduction to OSINT and III.
OSINT and III are acronyms that come from the Intelligence community, originating from national security and law enforcement organisations. Commonly used interchangeably, this post will clarify the differences between these two concepts. The foundation for this post is the included videos from our OSINT courses.
What is OSINT?
OSINT is an acronym for Open-Source Intelligence. Open-Source Intelligence can be defined as:
The collection, evaluation, analysis and dissemination of information from publicly available sources, such as the media, social networks, forums and blogs to use for either intelligence purposes or as evidence to assist with internal investigations.
Open-Source Intelligence involves taking relevant publicly available information and collecting it with the goal of gaining knowledge on either a person, a business or a threat. Open-Source information can be incredibly useful for an investigation; you can collect personal data, like someone's name, DOB, address, job, as well as their habits and details around their lifestyle, like what they drive and where they frequent. Or alternatively, when you're collecting information on a Business, you can identify what the business does, where they’re based, their size, who they employ, and anything else that you can find. This information that we’re collecting to build up a picture is us adding value and creating intelligence.
When people talk about OSINT these days, they're generally talking about internet-based OSINT but it's important to know that OSINT predates the internet and historically it has come from other sources like newspapers and journal articles. These other sources are relied on far less today than the internet, however, they were where OSINT began as a concept.
Is any information collected freely considered OSINT?
The term OSINT is thrown about a lot these days, particularly as OSINT is now being used in other industries outside of national security and law enforcement. However, OSINT as it was originally defined is not a catch-all term for any information captured via the internet or from public sources. Information that has been captured from publicly available sources is defined in the intelligence community as Open-Source information (OSINF), something very different to Open-Source Intelligence. Intelligence, including OSINT, is something that an intelligence professional creates rather than something that they collect. Intelligence is actually a 3-stage process, which is made up of data, information and knowledge. Information that is collected but not developed in any way cannot be considered intelligence, because there has been no value added to it.
To give an example of how this works, OSINT can be shown passing through the 3-stage process of data, information and knowledge.
Data - When we go on social media and type in the name Steve Adams in a Facebook search bar, we might get hundreds of results. This is raw data, which is the first stage.
Information - Information, the second stage, is created as a result of the gathering, organising and processing of that data, when it is done for a specific purpose. This is where we evaluate our list of results and try and narrow it down. Using filters on location and school may find us a limited number of profiles or even just the one. Even when we have one profile, it’s still just Open-Source information. An identified social media profile is often presented as OSINT, however, there is insufficient value here to consider this OSINT. Instead, this would be appropriately be described as Open-Source Information Collection and Research.
Knowledge - The final stage, Knowledge is an understanding of the information you hold and you create Knowledge through analysis and research of strands of information. This could be a full subject profile of information collected using the internet that has been corroborated by parallel sourcing information. By identifying key names appearing in Equifax co-residents and identifying those individuals in the friends lists of multiple social media accounts belonging to your target, you have sufficient information to develop a network chart for the subject. In this example, you are adding value to the information held, which you have corroborated.
Intelligence, including OSINT, is the combined process of all three of these stages; data, information and knowledge. So, we only have Open Source intelligence once we have completed the knowledge stage. Collecting information in itself isn't OSINT, the crucial step to turn open source information into open source intelligence is proper evaluation and that’s ultimately the most important part because that’s what makes it actionable.
What is III
III is another term that is rising in prominence in the OSINT world, which stands for Internet Intelligence and Investigation. This term was developed in UK law enforcement, where it is now the preferred term for OSINT or OSINF research. This differs from OSINT for two reasons. Firstly, III only includes information that is sourced using the internet. OSINT is often used today to refer specifically to information found on the internet, however, OSINT can also be found in physical form such as books, newspapers and journals. Secondly, not all information that can be found on the internet is open source. I break down information on the internet into four categories, all of which can be collected during III activity. These four categories are Open Source information, Quasi Open Source information, Quasi Closed Source information and Closed Source information.
Open-Source is any information that can be found online without payment or any restriction to access. Social Media is the primary example here. Yes, you need to create an account, however, this isn’t a barrier to access. Anyone in the world can create a social media account. Access is free and once you’ve got your account you can see almost anything within that platform.
Quasi Open-Source is information that has no restrictions on access, however, it isn’t free. Systems like Hooyu Investigate and GBG Connexus are systems that pretty much anyone can sign up for, as long as you have sufficient money. You can get hold of really helpful data on a person by just paying for it. If you want to know someone's email address or all the addresses that they’ve lived at then you can probably get it with one of these systems. There’s a number of other systems that offer open source data that only restrict you through price.
Quasi Closed-Source is information is information that has some restrictions on access and is usually also paid for, however, there are opportunities to access this data with the right permissions. A number of systems or data sets are limited for use by law enforcement. Unless you can prove that you are from law enforcement then you cannot access that data in any way. Equifax has data access that it restricts exclusively to Law Enforcement Units. Similarly, Clearview AI, a facial recognition tool, will only sell access to its dataset and tool if you are a law enforcement unit. Data protection laws and the inherent right to privacy means that this data cannot be freely available. Therefore, access is restricted to a moderate degree. Similarly, some social media groups are restricted in access. Whilst social media is Open-Source, a closed group requires permission to join from an admin. This involves making contact with a person using an alias and under the current NPCC guidance is considered Level 4 activity, which requires authorisation within a UK Law Enforcement Agency.
Closed-Source is information that your organisation holds access rights to that is not available for public use. This may be data that only your organisation holds or may be a database that you have created amongst a number of organisations. In the UK, the Police National Computer, or PNC is a great example. All of the police forces in the UK can access the same database that shows an offender's criminal history and vehicles. This is available via a closed network and is only available to police forces or specific law enforcement units. Systems like SAP or Salesforce are also closed source systems that can be used in internet investigations. If you work in security for your organisation then you can find out a lot of details about employees using these systems through HR data. This data is a great starting point when starting an internet investigation, as it gives you the data you need to start searching on social media and sites like Hooyu and Equifax.
An internet investigator is responsible for collecting information from the internet from any type of source, regardless of whether it is Open-Source, or not. Collection of intelligence using the internet is currently only done within Law Enforcement by a trained Internet Intelligence and Investigation specialist as this ensures that the collection is done legally, ethically and in a way that protects the law enforcement agency.
To learn more about how to conduct OSINT and III, check out the two OSINT courses available from Intelligence with Steve on Teachable.