7 posts tagged with "OSINT"

A real malware analysis job. The trail went sample → strings → network IOCs → C2 infrastructure → on-chain. The funds went through a mixer.

Halfway through that chain I realized I had solid SOPs for the first half and absolutely nothing written down for the back half. Blockchain address clustering, mixer heuristics, bridge read-flow, how to structure on-chain evidence for court admissibility — I was building all of it on the fly. I finished the job, wrote down what I'd worked out, and that became the seed for what's now in v2.0.

Intel Codex v2.0 ships 11 new SOPs. Most of them exist because a real investigation or assessment hit the edge of what v1.0 covered.

My first TraceLabs CTF. The clock is running, my teammates are already triaging leads, and I'm still typing site:linkedin.com "John Doe" Seattle by hand. The same query I've typed a hundred times. Then the username variants. Then the reverse image search URLs for each platform, one by one. We finished 7th, which is fine, but it didn't feel like 7th-place work — it felt like I'd spent a third of the competition on mechanical tasks that shouldn't take that long.

I went home and started building dorkhound. Give it a name — or a full case file with emails, phones, usernames, a photo — and it generates 340+ ranked search URLs across 25 categories, ready to triage. The scaffolding that used to take 45 minutes takes about three seconds.

Mid-CTF, web challenge, something is hidden on the page. I'm digging through source by hand, looking for HTML comments and concealed tags, squinting at DevTools like a man who lost his glasses. Ten minutes of this. Worst ten minutes of my life.

That became the first bookmarklet — Expose Hidden Content. One click, color-coded highlights, done in two seconds. The rest accreted from the same place: every "ugh, this again" moment during a CTF or OSINT investigation that was repeatable enough to automate. Username generation from a name. Bulk URL opening from a dork result. Domain reconnaissance without opening 30 tabs manually. Each one is a muscle memory shortcut that stopped being manual.

That's bookmarklets — 9 tools built on one principle: drag a link to your bookmark bar, click it on any page, done. No install, no extension permissions, no trust in a third party. The entire source is visible JavaScript that runs locally in your browser. Nothing leaves the page.

OSINT CTFs are a team sport, and the bottleneck is almost never knowledge — it's coordination. During a competition, our team was hitting maritime challenges, aviation challenges, username enumeration, the full spread. And a significant chunk of time just evaporated into "which tool do I use for this?" and "is that source reliable enough to submit on?"

The experienced members had their go-to sources. The newer ones didn't, and asking mid-CTF burns time for everyone. What I wanted was one bot covering the reliable tools for the most common challenge types — so the question becomes "what do I know about this target?" instead of "where do I even start?"

That's Discord OSINT Assistant. 31 slash commands across 8 categories, results in the channel where the whole team sees them. No divergent environments, no "which Python version do you have", no shared credentials in chat.

As an autodidact solver, developer, architect, and CTF jeopardy competitor working across digital investigations and security operations, I kept running into the same problem: fragmented knowledge. Every investigation meant digging through scattered bookmarks, old notes, and half-remembered techniques.

Every new team member needed months to learn the same procedures. Every case required rebuilding the same templates from scratch.

I'm old and slow. Not elderly — just, by the time I've got five tabs open, uploaded to a face tool, waited for the result, and figured out what the confidence score actually means, the moment's gone. The CTF clock is ticking and my teammates are staring at me.

What I actually wanted was /rekognition compare in the team channel. One command, answer visible to everyone, no browser tabs, no copy-pasting face URLs into some website that charges per lookup. Just: does this face match that face, yes or no, confidence score attached.

That's the whole idea. discord-amazon-rekognition wires AWS Rekognition's full analysis pipeline into two Discord slash commands. Face comparison, OCR, object detection, celebrity recognition, content moderation — all available without leaving the channel where the conversation is actually happening.

When I first discovered the Basel Institute LEARN platform, I wasn't sure what to expect from free online courses about financial crime investigation. After completing most of their self-paced eLearning modules, I can confidently say this is some of the most practical and valuable training I've encountered in the field.