Synced from an Obsidian vault

For graph and advanced features, download the full Intel Codex Vault and open it in Obsidian.

Investigation Index

Quick Navigation: Comprehensive guide to investigation procedures, platform-specific techniques, and entity profiling.

🎯 Investigation Workflow

Standard Investigation Process

Step-by-step:

Pre-Investigation: Legal & Ethics Review → OPSEC Planning
Collection Phase: Collection Logging + Platform SOPs + Entity Dossier
Specialized Techniques: Image/Video Analysis / Web Infrastructure / Financial Investigation
Escalation (if needed): Sensitive Crime Escalation
Closure: Reporting & Disclosure

📱 Platform-Specific SOPs

Platform	Primary Use Cases	Difficulty	Link
Twitter/X	Real-time info, public discourse, journalists	Medium	[Twitter/X SOP](../Platforms/sop-platform-twitter-x)
Instagram	Visual content, influencers, location tracking	Easy	[Instagram SOP](../Platforms/sop-platform-instagram)
TikTok	Youth demographics, viral trends, OSINT challenges	Medium	[TikTok SOP](../Platforms/sop-platform-tiktok)
LinkedIn	Professional networks, employment history, B2B	Easy	[LinkedIn SOP](../Platforms/sop-platform-linkedin)
Reddit	Anonymous communities, niche topics, AMAs	Medium	[Reddit SOP](../Platforms/sop-platform-reddit)
Telegram	Encrypted messaging, groups, channels	Hard	[Telegram SOP](../Platforms/sop-platform-telegram)
Bluesky	Decentralized Twitter alternative, tech early adopters	Easy	[Bluesky SOP](../Platforms/sop-platform-bluesky)

Quick Platform Comparison

A Best for:

Identity verification: LinkedIn, Facebook
Real-time events: Twitter/X, Telegram
Location intelligence: Instagram, TikTok
Anonymous investigations: Reddit, archived Twitter
Professional background: LinkedIn
Visual evidence: Instagram, TikTok
Encrypted comms analysis: Telegram

🔍 Investigation Techniques

Core Techniques

Technique	Description	Difficulty	Link
Entity Dossier	Comprehensive person/org profiling	Medium	[Entity Dossier Template](../Techniques/sop-entity-dossier)
Image/Video OSINT	Reverse search, geolocation, metadata	Medium	[Image/Video Analysis](../Techniques/sop-image-video-osint)
Web/DNS/WHOIS	Infrastructure attribution, domain pivoting	Easy	[Web Infrastructure](../Techniques/sop-web-dns-whois-osint)
Financial/AML	Blockchain, company records, sanctions screening	Hard	[Financial Investigation](../Techniques/sop-financial-aml-osint)
Collection Logging	Evidence tracking, chain of custody	Easy	[Collection Log](../Techniques/sop-collection-log)

Specialized Techniques

Geolocation:

Image metadata (EXIF GPS coordinates)
Shadow analysis & sun position (SunCalc)
Landmark identification (Google Maps, OpenStreetMap)
Reference: Image OSINT - Geolocation

Blockchain Analysis:

Wallet clustering (Chainalysis, Elliptic)
Transaction tracing (Blockchain.info, Etherscan)
Mixer detection (Tornado Cash, Wasabi)
Reference: Financial OSINT - Crypto

Infrastructure Pivoting:

WHOIS reverse lookup (registrant email)
DNS history (SecurityTrails, DomainTools)
IP reverse lookup (Shodan, Censys)
SSL certificate transparency (crt.sh)
Reference: Web OSINT - Pivoting

👥 Entity Management

Entity Types

Person: Example in 2025-001 Investigation (crypto scammer profile)
Organization: Example methodology in Entity Dossier SOP
Domain: (Create using Entity Dossier Template)
Cryptocurrency Wallet: (Create using Entity Dossier Template)
Asset: (Create using Entity Dossier Template)

Entity Creation

To create a new entity:

Use Entity Dossier SOP as reference
Start from blank Subject Profiles template
Name format: entity-[type]-[identifier].md (e.g., entity-person-john-doe.md)
Update entity type in frontmatter: person | org | domain | wallet | asset
Set risk level: low | medium | high | critical
Set confidence: low | medium | high

🛡️ Legal & Operational

Pre-Investigation Requirements

Legal Checklist:

Review Legal & Ethics SOP
Verify investigation scope and authorization
Confirm jurisdiction and applicable laws
Document legal basis for collection
Identify sensitive crime triggers (see escalation SOP)

OPSEC Checklist:

Review OPSEC Planning SOP
VPN/Tor configuration verified
Burner accounts created (if needed)
Browser fingerprinting protection enabled
No personal accounts used for investigation
Attribution risk assessed

Escalation Procedures

When to escalate: Sensitive Crime Escalation SOP

Immediate escalation triggers:

Child safety concerns (CSAM, exploitation)
Imminent threat to life
Terrorism or national security
Human trafficking indicators
Active violent crime

Escalation contacts:

NCMEC (child safety): 1-800-843-5678 or CyberTipline.org
FBI (terrorism/national security): tips.fbi.gov
Local law enforcement (imminent threats): 911
Internal supervisor: [Contact info]

📊 Evidence & Reporting

Evidence Collection

Key practices:

Use Collection Log SOP for all evidence
Calculate hashes immediately (SHA-256 preferred)
- See: Hash Generation Methods
Screenshot with timestamp & URL visible
Archive websites (Archive.org, archive.is)
Record chain of custody

Evidence structure:

/Evidence/
├── CASE-ID/
│   ├── screenshots/
│   ├── documents/
│   ├── videos/
│   ├── archives/
│   └── SHA256SUMS (hash verification file)

Reporting

Final report: Reporting & Disclosure SOP

Report sections:

Executive summary
Scope and methodology
Findings (organized by entity)
Evidence appendix (with hashes)
Recommendations
Legal disclaimers

🧰 Essential Tools

Quick Tool Reference

Search & Discovery:

Google Advanced Search, DuckDuckGo
Shodan, Censys (internet-wide scanning)
Wayback Machine (website archives)
crt.sh (SSL certificate transparency)

Social Media:

Nuclei (username enumeration)
Social-Analyzer (social media OSINT)
Twint (Twitter scraping - archived tweets)
Nitter (Twitter privacy frontend)

Image/Video:

Google Image Search, TinEye, Yandex
InVID (video verification)
ExifTool (metadata extraction)
GeoGuessr, SunCalc (geolocation)

Infrastructure:

WHOIS, dig, nslookup
SecurityTrails, DomainTools
BuiltWith (technology profiling)
PublicWWW (source code search)

Blockchain:

Blockchain.info, Etherscan
Chainalysis Reactor (commercial)
Wallet Explorer (Bitcoin clustering)

Comprehensive tool lists:

Platform SOPs: Tool sections in each SOP
Technique SOPs: Specialized tool references
Main index: START → Security section

Internal References

Main navigation: Vault Home (START)
Security tools: Malware Analysis | Hash Generation
Pentesting: Linux | Active Directory
CTF guides: CTF Getting Started

External Resources

OSINT Framework: https://osintframework.com/
Bellingcat Toolkit: https://docs.google.com/spreadsheets/d/18rtqh8EG2q1xBo2cLNyhIDuK9jrPGwYr9DI2UncoqJQ
IntelTechniques Tools: https://inteltechniques.com/tools/
SANS OSINT Summit: https://www.sans.org/cyber-security-training-events/
Trace Labs OSINT VM: https://www.tracelabs.org/initiatives/osint-vm

🔄 Investigation Templates

Quick Start Templates

New Person Investigation:

Create entity file from template
Run username enumeration: nuclei -tags osint -var user=username
Check data breaches: Have I Been Pwned
Social media audit: Twitter, LinkedIn, etc.
Image search: Google, TinEye, PimEyes
Log findings: Collection Log

New Organization Investigation:

Create entity file from template
Corporate records: [Company Registry Search](../Investigations/Techniques/sop-financial-aml-osint#Company Registries)
Domain analysis: Web/DNS/WHOIS OSINT
Blockchain (if applicable): [Crypto Tracing](../Investigations/Techniques/sop-financial-aml-osint#Cryptocurrency Tracing)
Employee mapping: LinkedIn OSINT
Sanctions screening: [AML Checks](../Investigations/Techniques/sop-financial-aml-osint#Sanctions Screening)

New Domain Investigation:

WHOIS lookup: whois domain.com
DNS enumeration: dig domain.com ANY, subfinder
Certificate transparency: curl -s "https://crt.sh/?q=%25.domain.com&output=json"
Reverse IP: Shodan, Censys, SecurityTrails
Technology profiling: BuiltWith, Wappalyzer
Archive search: Wayback Machine

📋 Case Management

Active Cases

TABLE case_id, entity_type, risk, confidence, updated
FROM "Cases"
WHERE type = "dossier"
SORT updated DESC
LIMIT 10

High-Risk Entities

TABLE name, entity_type, risk, case_id, analyst
FROM "Cases"
WHERE type = "dossier" AND risk = "high" OR risk = "critical"
SORT updated DESC

Pending Review

TABLE name, entity_type, confidence, updated
FROM "Cases"
WHERE type = "dossier" AND confidence = "low"
SORT updated DESC

🔔 Updates & Maintenance

Last Updated: 2025-10-05 Index Version: 2.0 (post-reorganization) Next Review: 2025-11-05

Recent Changes:

2025-10-05: Complete rewrite after vault reorganization
2025-10-05: Added example entities (person, organization)
2025-10-05: Enhanced entity dossier template with comprehensive workflows
2025-10-05: Updated all SOP links to match new structure

Upcoming:

Add domain entity example
Add cryptocurrency wallet entity example
Create case management template
Add investigation workflow diagrams

Quick Links: 🏠 Home | ⚖️ Legal | 🔒 OPSEC | 👤 Entity Template | 📄 Reporting

🎯 Investigation Workflow​

Standard Investigation Process​

📱 Platform-Specific SOPs​

Social Media Platforms​

Quick Platform Comparison​

🔍 Investigation Techniques​

Core Techniques​

Specialized Techniques​

👥 Entity Management​

Entity Types​

Entity Creation​

🛡️ Legal & Operational​

Pre-Investigation Requirements​

Escalation Procedures​

📊 Evidence & Reporting​

Evidence Collection​

Reporting​

🧰 Essential Tools​

Quick Tool Reference​

📚 Related Resources​

Internal References​

External Resources​

🔄 Investigation Templates​

Quick Start Templates​

📋 Case Management​

Active Cases​

High-Risk Entities​

Pending Review​

🔔 Updates & Maintenance​