Data Xposure: The Podcast for Data Risk Leaders
What’s hiding in your data could cost you everything.
Data Xposure is Exterro’s biweekly podcast for senior legal, privacy, compliance, and digital forensics professionals navigating the ever-evolving landscape of data risk.
Each 20-minute episode dives into the headlines—major breaches, court cases, enforcement actions—and unpacks the real breakdowns behind the news: misaligned policies, siloed systems, and operational blind spots. Through narrative storytelling and expert interviews, we connect the dots between real-world failures and the proactive strategies used by successful organizations to avoid them.
Designed for leaders who want to elevate their influence, sharpen their risk posture, and lead with confidence, Data Xposure cuts through the noise to deliver urgent, actionable insight—with a tone that’s curious, clear, and grounded in reality.
If you're responsible for managing data risk across legal, IT, security, or compliance—this is your front-row seat to the moments where strategy meets consequence.
🎧 New episodes every two weeks. Subscribe wherever you get your podcasts.
Data Xposure: The Podcast for Data Risk Leaders
When What You Find Online Becomes Evidence—and a Liability | Data Xposure - Ep 15
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
What if the information your team relies on… isn’t as reliable as it looks?
In today’s investigations, it’s never been easier to find information online. Social media, public records, data brokers—answers are everywhere. But in this episode of Data Xposure, we explore a harder question:
Can you actually trust what you find?
Justin Tolman sits down with Jessica Stutzman, an open source intelligence expert and founder of Pangea Research, who has worked across law enforcement, national security, and the private sector helping organizations turn online information into actionable insight.
Together, they unpack how companies are using publicly available data to support investigations—and where it can quietly go wrong.
Because while this kind of research can uncover critical leads, it can also introduce serious risk:
- Drawing the wrong conclusions from incomplete information
- Relying on tools you don’t fully understand
- Using evidence that won’t hold up under scrutiny
And when that happens, the consequences aren’t just technical—they’re business-critical. Cases fall apart. Decisions get challenged. Credibility is on the line.
Thanks for tuning in to the latest episode of Data Xposure. Don’t forget to subscribe so you never miss an update. For show notes, resources, and to connect with us, visit exterro.com/data-exposure-podcast/
Welcome to another episode of Data Exposure. I'm your host, Justin Tolman, for this episode. And in this episode, we talk more about data, of course, because that's the theme of the podcast. But in this episode, we're going to talk about how to use data and maybe data from unconventional sources. Our guest this episode is Jessica Stutzman, who is the founder and president of Pangea Research LLC, an OSINT consulting research and training firm. OSINT standing for Open Source Intelligence or Information. Jessica is a certified forensic computer examiner and chair of the OSINT Program and Problem Development Program for IASIS. And she has spent her career across law enforcement and the intelligence community investigation scene from collection to analysis to digital forensics, and is currently a doctoral candidate in strategic intelligence at the American Military University, where her dissertation research examines human data validation when working with AI and automated tools. Jessica also serves as an OSIN expert advisor to UNOPS and sits on the Aurora Advisory Board at American University. So we have a great episode today. Let's go ahead and bring in Jessica and hear from the expert. Jessica, thanks for jumping on to talk to us today about open source intelligence and investigations. You are the Resident Pro. So I am going to start off with the basic question: what is OSINT or open source intelligence and investigations? Let's start, let's start at the absolute ground level and we'll build up from there.
SPEAKER_01Sure. So OSINT in general, open source intelligence, it is collection, tasking, processing, analysis, exploitation, dissemination, that whole intelligence cycle of using publicly available information sources to get you to an end state of having actual intelligence. That doesn't necessarily mean that it's all free, although that is the case for many things. And it doesn't also mean that it's necessarily easy. It means anything that you can do open source that's legally and ethically accessible without any sort of undercover activities or operations. Once you do that, then you're getting kind of crossing a line at that point.
SPEAKER_00So you mentioned, you know, not necessarily free, but you know, it kind of bounces between it. How there seems to be this like extra level, probably, of vetting how you approach it. Can you walk through, like, okay, I want to, I'm doing an investigation. I need to maybe look at some open source resources. How do I know what is going to be like a good resource or where do I start in that, in that process?
SPEAKER_01So you definitely won't know off the bat unless you have a really good lead. You know, so if you're doing a forensics investigation, obviously you're gonna have access to the internet history of that person. And that'll give you some good directions to go. But if you're just, if you're a law enforcement officer and you're trying to maybe solve like a string of burglaries or something like that, that's a much different approach that you would need. And if you're doing, you know, a war crime investigation for an NGO, again, a very different approach. So getting started for everybody will look different. And the important piece is that anybody that wants to do OSIN investigations, no matter where they're supporting, will need to have a good grasp on the fundamentals. And what that means is knowing what the whole landscape looks like and where to start. And like I said, every every place starts in a different area. So it's really hard to say, like, hey, this is your starting point always. If you have an email address as your first lead, then you start with a couple different, you know, techniques or a couple different platforms where you can look for those. You might start with things like, have I been pwned to see if that email address has been in breach data going back a number of years. If you have a phone number, you may start somewhere else just by basic Google searching, dorking with that phone number to see if it's been reported for scams or if it's been used as a company phone number for a contact or something like that. Names, also different starting points, IP addresses, all of those will start in different areas depending on where your person is originating from.
SPEAKER_00So you got to have that first little nugget, and that's going to point you. And I like that because a lot of advice is always like start at A. And with open source, it it's a bit more fluid based on where you want to go because there's so much out there. I mean, it's it's kind of like I don't want to all set me straight. It's kind of like anything is now a viable source of information in a weird way, right?
SPEAKER_01It is, it is, and that's what makes it so complicated. People that are used to, you know, forensic examiners, I'll take that as an example. It can be very difficult for forensic examiners to move into OSINT because you're used to, you know exactly what you do, you know how you get your image, you know that you can go down to the bit, the binary to hex level, you can look at all of this and you know exactly what the steps are and what data should be there and where it belongs. And if it's not there, you know that something is up, right? That is not the case in OSINT, right? You don't necessarily have a static path. Now, um, there's a really great author out there for any of your people that want to, you know, dig in and learn a little bit more, Michael Bazell. And he, as part of his books, he's got a bunch of downloadable files and links that you get with it. And he has some templates that kind of have like roadmaps, sort of, for if you're doing an email address, here are some great places to go check, but it's by no means a step-by-step do this, then this, then this. Um, a lot of the times you are having to collect resources and just kind of take notes and go, okay, let me circle back to this or let me look for this later. There is no easy A to B. Again, you'll you'll just get used to workflows and you'll kind of know, hey, these are, you know, phone numbers I have to search. Let me go hit all of my phone number search platforms. Um, it's every case is different. And honestly, it's kind of what makes it fun, but it can also be stressful if you're not super adaptable and flexible. It's really hard to, you know, I had a girl start for me uh several years ago and she's like, Well, where's the checklist of how I do this and then this and then this? And I was like, Well, I can give you like rough ideas, but you're gonna find a lead that says on Facebook that says, Hey, check out my Mastodon. And then you're gonna have to go to Mastodon. And that maybe wasn't part of the plan because you didn't know there was a Mastodon account for that person. So definitely a very, very much dynamic environment uh for every type of investigation that you'll have.
SPEAKER_00So building off of that, coming from a forensic background where we're hammered in, you know, okay, you found this validated, found that validated, validate. How do you kind of bridge that gap? Because some of the stuff that you're finding, you're seeing it, but how do you get that, how do you cross that line or maybe balance the need for validation? And how would you report that and document that?
SPEAKER_01I love that question for a number of reasons. But the first of which is that I just finished chapter seven, my final chapter of my dissertation, and my entire line of research for this is how do you validate information in open source investigations? For my case, specifically, because you have to be very specific with doctoral research for identification investigations. So if I have a phone number and I'm trying to connect it to a person, I don't know who that person is. How do I confirm whether this is real or not? How do I know when I search in a database and this phone number comes back and it has belonged to eight people over the last 10 years? How do I know which one is correct? Right. That's a huge challenge that we have. Or how do you confirm that this email really does belong to this guy when it's such a common name? Validation is something that really isn't talked about that much in open source. It is something that needs to be talked about, especially as it gets more popular as we get more people taking OSINT data to court. Now, as far as looking at like from a forensic perspective, you can absolutely, you know, if you're doing your screen grabs, you can hash your screen grabs. You can screen record your investigation to show that you are discovering these things as they're occurring and make sure you have that original provenance. And you can, you know, grab the HTML and the source code of the pages that you're looking at to try to document that. But all of that comes down to really good documentation. I will shout out for Ritu Gill if you've never either heard of her or worked with her. She is the founder, I believe, of Forensic Ocent, which is kind of like a parallel to Forensic Notes with Rob Marriott. And Forensic OSINT allows you to have a Chrome browser plug-in where it'll capture and hash and validate some of that stuff for you. So as far as the evidentiary capture, that is something that's being done and being dealt with. And she's a rock star in that area. The tool does a really great job. But as far as validating the information behind the scenes, that's where things get a little scary. Um, what we see is that most OSINT practitioners and most people that are teaching, or even the books that talk about how you do OSINT methods, they have you rely very heavily on subjective judgments. Um, a great example that I referenced in one of my research uh areas was one of the authors of these books had said, Oh, well, you know, there's two people's names in the email address. So that's a good indicator that they're married or it's a couple's account and they share this account. That is a huge, huge subjective leak to make. Now, if you have a number of other pieces of evidence from other areas that support that, okay, maybe that's a little bit more likely. But subjective judgment is a huge factor in OSINT and it is not something that gets addressed and not something that gets trained for people to know. That gets even riskier when you start using automated tools and systems, which are phenomenal for digging through data really fast. But then you run the risk of, hey, how does this tool work on the black, the back end? Um, if if it's a black box tool, you don't know where the data came from to begin with. You don't know whether it was trustworthy data, right? If somebody just made a typo and now they've associated this person to a second social security number or something like that. So there's there's a lot of challenges in OSINT data validation. And um I will not put the spoiler alert out just yet, but I have built a framework with my research of what we see, what is governed and what happens in the field when we have good identity resolutions that are successful and ones that are not. Um, and we pulled all of those together to form like a best practices framework. And uh, as soon as my dissertation is done, I'll be publishing that out for everybody.
SPEAKER_00That's awesome. We'll be on the lookout for that. I kind of feel like the subjective aspect would be how do I like subjectiveness is probably good in the initial building of your investigation and looking for new stuff, but then you need to move into a more objective mindset when you come to the reporting and kind of deliverable section. Would that be fair in that my interpretation of your response?
SPEAKER_01No, 100%. Um, and that is that's the challenge, right? Um, you've got people, one, OSINT is a really cool intelligence discipline. I love humans. I'm a former human tur. And so, you know, you hear all this inner service rivalry between the ints, but OSINT is the one that is kind of global. It is in every industry. It's not just in the intelligence community, it's in law enforcement, it's in private sector, it's in NGOs. It hits all of these areas. And every single one of those disciplines has different requirements, like every area. So with the IC, you have to have sourcing. ICD 206 and ICS 206-1, which is specifically for OSINT and PAI, they give you very clear requirements on what you need to put in your report for where you got something. But that doesn't mean that you need to capture it and archive it and hash it and have it for evidentiary purposes. These 99% of IC work is not something that's ever going to go to court and ever going to have to actually be judged at that level. It's really more for decision making. Now, if you're in the law enforcement side of that and you have all of these subjective analyses of how you got to things and how you made determinations, and then you have to go and defend that in court, that looks an awful lot like bias if you don't have the hard data to back it up, right? And if you don't have all of the material and if that material has not been captured and documented properly. So it's very, very risky depending on what area you're in. Now, analytical judgment exists and it is one of the greatest things about analysts when you're they're doing reporting. Um, and there's some interesting divisions between, you know, so in some areas you'll have people who do the OSINT collection. And there's a little bit of analysis and collection, right? You have to kind of follow the leads, interpret those, document them, and put a report together. But there's some places where they then have a third party do analysis on that material to see if this really holds up, if the logic is sound, if the, you know, evidence is really there, or if this feels like a number of jumps. Unfortunately, that is few and far between with where that actually occurs. And that's not always the best situation anyway, because there's context that may be missed. Um, now that can be very helpful for like reporting and documentation processes, doing your writing and stuff like that, but there's just a lot of risk there. So the one of the biggest concerns I have is that subjective judgment when we go to court and when we see things like that. And historically, we haven't seen, you know, 15 years ago or 20 years ago, that was when forensics started getting dragged into court very often, right? And that's that became a lot of precedential things for us. OSIN is starting to have that experience. Within the last five years, there's been very kind of peppered in cases of people who have had law enforcement search different systems and it gives them a set of data and then they take that data to court. The company won't testify to support it. They can't justify it, they can't explain where it came from. There's no other evidence except for what that tool said. Um, and that has let people walk on, you know, possible convictions when there's other evidence to support them, but because that initial data was either tainted or not able to be supported or verified, got thrown out, and now everything else is that fruit of that poisonous tree that was discovered after the fact.
SPEAKER_00It really feels to me that the way that we write reports, if we're going to use open source intelligence, needs to change because you're going to be writing like a forensic report can be this artifact said this, you know, kind of I'm over. But it's very cut and dry. Whereas with an OSINT report, it almost seems like you'd be writing a story, you know, a nonfiction narrative of what happened. And that could be a shift.
SPEAKER_01Yeah, there's definitely a piece of that. And something that I also encourage everybody to do is if, okay, so, you know, if it's for a legal investigation, right? You have evidence and documentation that you can support with other areas, right? You can validate that this phone number was from this phone that we confiscated from this person, and this phone number was linked to register to a social media account. And that social media account, you know, sent signal pings at the same time that he posted a tweet and we had his phone there at the same time the Twitter account was, right? So that tells us that he was actually in that place and now you're like 99% likely that he was there, right? That's always a piece of struggle that we have in forensics is can you put the person behind the device or behind the keyboard? That exists very much in OSIN as well as a challenge because again, it's their account, but how do you know they don't share their credentials or have like a social media manager when you're an influencer and stuff like that? So that's a big challenge. Um, and what I always recommend is if you are not sure about something, if you cannot 100% say with certainty, you need to have a disclaimer there that says, look, these are the pieces of evidence that support this, and these are the pieces of evidence that do not support this. Now it is up to you to make your decision there. That exculpatory material is probably one of the most critical things you can put forward. And that's in any law enforcement investigation, because one, it shows the honesty and the integrity of the investigation, right? Okay, well, they said these were definitely correct, these definitely were not. Let's see what we can do and let's find other sources of evidence, right? OSIN is wonderful because it can give you leads across all of these other areas where you can then go follow up and get more material. If you think that the guy was standing there on the corner and you got the tweet at the same time that the signal ping happened and you were able to correlate that with both commercial telemetry data and, you know, a warrant or a subpoena request or something like that, that's really great. But if you're not sure and you didn't get any other signal pings, maybe now you know that time it was posted and you think you know where he was. Maybe there's a camera on the street corner where he happened to be walking and you can get that and triangulate that lead from there, right? It's really, really great for lead purposes. And sometimes you get that like home run where you knock it out of the park and you get everything there. January 6th, great example, right? People live stream themselves on camera going into the Capitol and then posted it on their social media feeds. It doesn't get more 100% confident, case closed, than that. But unfortunately, that's not always the case because a lot of our bad guys do get smart pretty quickly about this sort of thing.
SPEAKER_00This really requires a lot of out-of-the-box thinking of how to approach things. And you mentioned putting the person behind the keyboard, which is a common phrase in forensics, of course, but I think Brett Shavers kind of co-opted it with his book. And now every time someone says that, I think of his book. But he's doing fantastic work.
SPEAKER_01There hasn't been like that much really good published research and documentation like that that's approachable in a long time. And I think he's he's crushing it. He's doing a great job.
SPEAKER_00Love it. Love, love the book, love his stuff. And in that, he talks, I don't he's not really talking about open source intelligence, but he he talks heavily about opening your mind to like think about how you use a computer, how people use, how do you go about your day? Because, like you said, is there a camera? Do do you, you know, where do you stop? Where do you hop on? Have you connected to Starbucks Wi-Fi? Like, what are the types of things that people do as they go about their life? And that kind of leads me to it's an oversimplified question, so I'm going to use poor vocabulary, but in the age of 2026 where digital information is running rampant, we just create so much information about ourselves and honestly others. Is open source getting easier or harder to utilize as evidence in these types of things? And and my poor choice is easier because that's such a uh, you know, wild word. But what are your what's your feel, your research in the increase of data making it easier, harder to work these types of things?
SPEAKER_01Yeah, um, so it's a little bit of both, right? In some aspects it's easier, in some aspects it's harder. And I hate to be that person that waffles and is like, well, it's gray, there's no answer, but this is kind of one of those situations. It's harder when we think about things like mystics and malinformation and bots that are just spamming and flooding all of these, you know, sources where we would normally be able to look and to filter and to sort through things. So in that regard, it can be very difficult because the speed of deep fakes and AI generated content and like coordinated just mass disinformation has definitely gotten bigger and it's made it really hard. On top of that, we also have platform access restrictions that are getting more and more strict and harder to get into. In many places, and this will depend on your jurisdiction and what your permissions are. Most investigators can have sock puppet accounts. So, you know, your undercover account, not to engage, but to observe the environment to find what you need and be able to search for what you need, because you can't search on Facebook or view things on Facebook or, you know, in Instagram or X or a lot of these places without having accounts, right? Five years ago, 10 years ago, that wasn't the case. You could see anything anywhere, basically at any time and search and do a lot of great things with it. So that platform access is shrinking and getting smaller. Privacy concerns and constraints are making that harder to collect even regular, you know, other types of data like the commercial telemetry data of ad ID. If you're not familiar with that, we can do a whole nother episode on that at some point, because it's way too much of a rabbit hole. But things like GDPR and the CCPA, the California Consumer Privacy Act, those types of regulations are making it harder for the data to even exist, let alone for then us to go out and find it. AI has also, of course, accelerated just the speed with which people can do bad guy things. And so they're trying to outpace us, and they absolutely have, because when you're doing OSINT in support of, you know, IC or law enforcement or or really any professional organization, you are limited by laws and policies that you have in place. And a lot of the time they cannot keep up with the landscape, especially when it changes this quickly. The government specifically probably three to five years, but that's being very generous. We're probably looking more at like five to ten years behind in the policy landscape. I mean, OSINT has been around since 1941, uh, when the FBMS was first stood up, and we only got the first like real PAI guidance for sourcing a couple of years ago within the last two years. I can't remember if it was 24 or 23 when that came out. Um, so don't quote me on that. Uh now that's the hard side. The easier side, um, which has been really nice, is that the the volume of information has never been higher. Anything you can think of that you would have done on paper before is digitized. You can create your notes, you can network on platforms that you would never think to network on, like Zotero. It's an organization, it's a system that we use to organize citations and sources. You can share that with your colleagues and your like your classmates. So if somebody knows to go look at a Zotero breach, they can see all of the people you've been affiliated with because you share an organization of like citation and and nerd stuff. You know, data brokers have also just made a ton of this information really, really easy to access. Now, a lot of that sometimes there's a commercial data purchase uh access to that that you would have to have, but some of those are free and you can get a couple searches a month from certain platforms because you know they'll give you that little teaser of good data, and then you know, you'll hopefully pay for an account. So a lot of that has gotten really easy. Tools have blown up, and that is both an easier and a harder, like I mentioned earlier with the validation. You don't know where they're getting their data, so you don't know if it's good or bad. You have that kind of old phrase that, like, crap in, crap out, right? If it's a bad data source and you just don't know, you're gonna get results and you're not gonna know if they're true or not. So many people, I think I saw a LinkedIn post this morning and I can't remember who it was. So if it's somebody that's listening, you you have the credit. I I don't I don't remember. But they'd said something along the lines of like, with how easy it is to program now, every other day, somebody is creating a new like Intel dashboard that's out there that anybody can use. And people are logging in and using these, having no idea who they belong to, what they're doing on the back end, how much data they're collecting about you, and whether they're even accurate or not. And if they're saying, hey, we have an API to pull data from Facebook, okay, cool, but how do you know it works? And is it easier to use that tool, or is it easier to just go search it yourself manually? You know, so a lot of this stuff has gotten easy. And, you know, with how easy it is for us to communicate and network and do things like this podcasts and videos and you know, learning platforms. It is so much easier to get started and start learning and jump in and get into the field of OSINT than it's ever been before, which is super exciting.
SPEAKER_00Absolutely. Have you seen, and I'm putting you on the spot here, I'm opening it up real quick. The paper released last month called Large Scale Online Deanonymization with LLN.
SPEAKER_01I did actually. I have gotten, I read the like abstract at the front, and then I kind of skimmed. It's I use an app called Todoist. It helps me track everything. So I've actually got that article in there. Planning on doing a LinkedIn post kind of on that in the near future here. Fascinating stuff and could be very, very useful. Just like when was it the MD5 that they were able to collide with in a lab, but only in a lab and never in the real world? It's important to remember that what happens in a lab can be very dramatically different than the real world. And I haven't dug into the methodology and the exact processes that they've used yet, but this is kind of where we're at. It is going to get easier and easier to de-anonymize people. You know, if you think about cryptocurrency and the blockchain, right? Bitcoin was supposed to be anonymous, right? Or pseudonymous at least, unless you if you didn't identify yourself. But the longer the blockchain exists, the easier it is to de-anonymize people. And I think we're going to see that same thing play out in a number of other areas of the internet where the longer something exists, the more breaches there are, the more PII that exists for other people to support and identify methods to work around those. And the easier it's going to be to have large language models that can parse through things and look for very specific nuanced things and hallmarks like tone of voice and how you write. And, you know, if you use the same like catchphrase over and over again in your writing, it's going to be easier to parse through all of that and make connections where maybe people had never made them before. Super cool article. I can't wait to dig in a little bit further and actually get into the details and see exactly how they were doing it. But that one definitely caused like a lot of I don't know if it was controversy, but the first couple comments I saw, people were like really back and forth about how they felt about that and what it really means for the internet and how we're moving forward.
SPEAKER_00Not we won't go into the methodology because you're right. Right.
SPEAKER_01You kind of have to in a research environment like that, which is it is both good, but it is also something that slows us down with this type of you know tradecraft.
SPEAKER_00Yeah. Yeah. For those who haven't read it, the the TLDR is that, like Jessica said, if they have a if you have a LinkedIn account that's public or semi-public, like most LinkedIn accounts are, they can take your posts, analyze how you write things, and then go to their example is like Reddit. And even though on Reddit you're user one, two, three, four, five, match the semantic analysis using LM LLMs and identify your Reddit, your anonymous Reddit account based on the way that you type, as well as some context clues, like if you mention a beach you like going to often on the weekends, they're going to assume you live somewhere close, that sort of thing, and match it. But it's it's can turn into pretty powerful stuff. And the re this has been around for a long time, Jessica. You know for sure, but for anyone listening, it's been around for a while. But what LLMs have done, and and you kind of implied this, is it's sped it up. Like that's really it, we're putting gas on the fire, putting the pedal down, and LLMs allow you to do that semantic analysis across huge data sets insanely quick, whereas it would take someone forever, if ever, to do that type of open source comparison across those vast data sets. So it is going to prove kind of interesting going forward. They they reference a zip code research that they did, where if you had the zip code and the birth date and you could throw in gender in that as well, you could you could take a medical hack and compare it to voter records and narrow it down to two people based on, you know. And so it's just kind of interesting to see this type of data and this type of research happening. But one thing we got to keep in mind, like you said, in the lab versus in reality and the the locks and the different things, but some stuff to keep in mind and keep an eye out for for sure.
SPEAKER_01And I think a lot of people, I think where people kind of think, oh, hey, this is really big and scary, it's a little bit overblown because I'll say 99% of people are just not targets for any of this type of stuff. Everybody worries, you know, and there's like the tinfoil hat crowds and stuff like that. But I could say that unless you're doing something really crazy, most people are not interested in you. So they could do it, but the amount of manpower that it takes, or the, you know, the computer power at this point and processing to do that for individual people is probably going to be reserved for like your your big bad guys or you know, some like very interesting, you know, celebrity type things like crazy stalkers and stuff like that. That is not going to be um an issue for 99% of people. So I don't want people to get scared when they hear that, like, oh my god, they knew who I am. Maybe shit post a little bit less. I'm so sorry. I I shouldn't have cursed. No, yeah, no. But if you're that worried, maybe uh maybe don't do as many anonymous things that you probably don't want to stand behind confidently.
SPEAKER_00Yeah. And and I I don't want to minimize the privacy aspect of it, but I think that is actually a fantastic takeaway. On one hand, is that, you know, and again, I'm saying this tongue in cheek, maybe the de-anonymization of the internet can have some slight positive effects to our discourse on the internet. Because I I don't think we need to tell anybody that the anonymization factor of the internet has led to some, let's say, unruly discourses.
SPEAKER_01It could certainly be a far more respectable place with a good anonymous or de-anonymization method. Yeah.
SPEAKER_00Yeah. Uh but again, both of us caveat, privacy, all that sort of stuff.
SPEAKER_01Very important.
SPEAKER_00Yeah, definitely. One thing I I want to shift gears just a touch here, but a lot of people when when OSINT is mentioned, they think, well, depending on who you are, you may think like spy level stuff or government organizations or down to police. But I think there is application in various other areas, specifically corporate situations, internal investigations or those types of things, litigation. Have you had any experience in applying it to corporate investigations and those types of things as well?
SPEAKER_01Yeah, yeah. So I've been lucky to be able to work in law enforcement, the IC, and the private sector and kind of do a lot of things in those spaces. So non-traditional OSINT, you really just have to be creative in how you're thinking and how you're applying it. Obviously, we've got the IC, we've got the law enforcement areas. When you're looking at corporate, there's stuff like competitive intelligence, fraud detection and investigations, brand monitoring, and like reputation identification. Um, I've consulted in the past on a few organizations that were trying to break into a new country, like with their business, and somebody had actually been using their brand in that country for a number of years already that had stolen it. And now they had a terrible reputation there. So they were having just the hardest time getting permission to move into that country and uh pre-act or preemptive or proactive monitoring of that and resolution that could have allowed them to solve that much faster. They did not know about any of this until they started applying to go and put some infrastructure in that country, which is just terrible. So those are some really interesting ways you can do that, you know. Also like pre-merger and pre-acquisition, right? Due diligence for other company purchases and mergers. Um, I think something people tend to forget about is things like executive protection. Um, you know, your celebrities, your football players and your influencers and things like that. Uh there, OSINT can be very, very useful for reviewing the threats that are coming in, but also the opposite side of that, reviewing what they're posting and what their footprints are to help protect them better, because a lot of people overshare, or when you do put that whole picture together, you've shared more than you thought you did over a lifetime and it can be used to find you. As far as like NGOs and humanitarian stuff, you can use OSINT to monitor peace agreements between nations. Is there really, did they really both stop cyberattacking each other? We can take a look at that and see what some of that is. I think there's a lot of like fun stuff you can do with OSINT too. So if you want to practice, if you want to train, but you don't have a role and you know, you haven't been able to get in with any of the organizations that do the great volunteer work, genealogy and family research, super interesting way to approach that. You know, you can get online and look back and find UN records from the 40s and the 50s of people migrating all around the world and help people trace back ancestors and look for historical documents. A lot of like your physical libraries do have digital genealogy areas, but they also have, you know, paper ones. And people always kind of defer to like the internet as the only place for OSINT, but it is far more than just the internet. You do have all of those things like journals and trade publications, government hearings, you know, local hearings, um, you know, records and things that you can only get in person too. Sports analytics and scouting. That's another great one for social media, right? Do you want to draft the most important guy on the field? Cool, but let's see what his social media footprint looks like because do we really want him to bring the brand down, right? Unfortunately, I'm a lifelong Tampa Bay Buccaneers fan and we've had some challenges with players who have done some dumb things and, you know, said some stupid things on the internet. And that reputation has kind of followed them and made the Bucks not look so good. If any of you are doing online dating, research into the person that you're trying to go on dates with. Are they actually who they say they are? Uh, that's not just keeping yourself safe. That is making sure that you can make a good decision and action that, and I'm either gonna go on the date or I'm not, based on what I can find about that person. Um, you know, there's game communities, journalism, all kinds of reporting, missing person searches, pet searches, like if your pet runs away, knowing where people share some of that community information and being able to go get it, that's a really useful thing to do too. Yeah, there are so many really cool applications to to OSINT research if you just think creatively. And I'm not saying the int, right? The OSI, the int part of the intelligence, right? But when you apply the methodologies and the techniques that we use, it really can apply to just about every field that you could imagine.
SPEAKER_00And I think the int still applies, whether it's legal intelligence or just, you know, decision-making intelligence, it's super important to you can definitely use that for just personal decisions.
SPEAKER_01That's still actionable in my mind.
SPEAKER_00Absolutely. So one thing I want to touch on, and we may have touched on it, but how do you glue, let's let's stick with forensics a little bit. But like I have a I have a computer, a phone, and a tablet, right? And I'm analyzing these things, and I find that nugget that leads me into the open source world to look for stuff. How do I meld those back into a cohesive case that makes sense? Like, what are some of the tips there for making sure that these two play together in a way that's going to help me in my case?
SPEAKER_01So I think a lot of the reporting is going to come down to what your agency requires. And I know a lot of places have templates and very structured ways of reporting. I've seen this happen in a couple of different ways. The first is that you do your full forensic reporting, you do all of your technical stuff, all of that documentation. Um, and then you have an area for you to actually describe and talk about the investigation. Before you do that, I would maybe add another section in there for all of the OSINT work and say, hey, as referenced on this page, we found this many emails from five different people that we don't know who they are. And we pursued identifying these emails with these specific techniques. And then you detail your investigation, you have all of your screenshots, your hashing, and all of that kind of stuff embedded. And then you can kind of do your final narrative where you put it together. Of course, the other side of that is you can weave it in. But if you're in a court or dealing with a system that maybe doesn't have as much confidence in the OSINT stuff, you may want to not weave that in because that's honestly probably a lot of rewriting. Um, I think every case also will probably, again, every forensic case is a little bit different anyway, but every case is going to be a little bit different with how they weave together. Um, and you may want to just have an attack, maybe maybe you don't get anywhere with those emails, right? Maybe you find out that they're in groups together and they do all this stuff and they're active on these platforms, but that doesn't help you with the specific case you were working to begin with, right? Maybe those are leads for another case. So maybe that is like an annex or something that you can attach to that. And hey, this is what we found. He's clearly active in these chat rooms doing X, Y, Z bad guy things. And here's some other people that he's involved with, or at least email handles and usernames that he's involved with. And, you know, we can follow up on these and other investigations, maybe. In any case, if you're doing that, you want to get that uploaded into some sort of system of record so you can search for those and when other things come up. And that's that's another really huge piece in OSINT, too, is it might not be there today, but that doesn't mean it won't be there in six months. So if you have a case that's still open or you haven't closed, go back and check every once in a while. Not that, you know, law enforcement officers, nobody has the time to do that kind of stuff, right? But if it is like a high profile thing, check again in like six months or so and see what more information you get. With OSINT reporting, again, it's really important to explain where you started, how you got there, what that process is were, like what the processes were, and how you jumped across. Because the most important thing with legal defensibility is making sure that what you are putting out can be traced and documented and potentially reproduced by somebody if they need to. Now, everybody knows that the internet is not static, but again, if you at least have the documentation that it was there that day, that's very, very helpful to have. And that doesn't mean that it will get thrown out just because somebody can't do it tomorrow. Uh I feel like I'm bouncing all over again.
SPEAKER_00No, that was that was right on. And I I want to ask you, so I'm in my case and I I go through those those kind of thought processes that you're talking about. Would a safe piece of advice be, okay, I'm in my case and I want to go search some open source, whether it's the Google plugin you talked about or screen recorder, either way, it almost seems like start recording then. Even if you don't find anything, just delete the footage or not. But either way, just get that early because what you don't want to do, and this is a thought that keeps popping to my head as you talk about these things, is I don't want to find something and then realize, oh, I need to start screen recording now. Like, well, just if you're gonna go online and start working for that stuff, start recording, record all your stuff. And if you don't find anything, you can cross that bridge. But if you do, at least then you have your full chain. Would that be a safe recommendation or is there any negative side of that?
SPEAKER_01I mean, the only negative side to that is it depends on how deep you go in that rabbit hole, how long that footage is, and that may slow your system down. But no, I think that's a really great approach, especially if you're using other ways like Hunchly is another great product to help screen record or screen grab and hash things for evidence. I think you touched on something really interesting there, though, is you said, you know, if I'm doing something and I want to go follow an OSINT rabbit hole, and then if it's not relevant or I don't find what I'm looking for, I'm gonna go delete it. I would probably not do that because if you're part way through an investigation, you don't know what's relevant just yet. So uh what I would probably do, and I'm somebody that I like um, you know, like time blocking. So I like to do batch things together. So if I'm doing a forensic case, I'm gonna get all of that done first and I'm gonna note take all of the leads that I have for OSINT to follow up on after the fact. That's gonna allow me to be fully uh aware of everything that happened in that device that I'm examining and all of the stuff that supports that. And then now I've got I like Excel sheets to organize all my leads. So I'll have, you know, the name, the alias, social, phone numbers, email addresses, addresses, all of those kind of like PII identifiers that we would use to search. I keep them at separately. And then when I finish all of this, I go, okay, cool. I have this big picture, I've got some questions, I've got some gaps. Now let me do OSINT research with all of these things, and maybe that'll fill some of those gaps in, you know, and maybe it'll start to make sense and be more cohesive. That's just my approach because that's just how my brain works. I like to get that one big thing done at a time and then follow that lead. A lot of people will do that back and forth, but if you're doing that again, I would not delete or get rid of anything or think that something is not relevant until you finish the entire case, all of your OSINT research and all of your forensic exams, just to make sure that there's not something that correlates. Um, because I've definitely had it before where, you know, I'm like, oh, okay, this isn't relevant. Or, you know, I saw some person that we were, we were looking for some. I can't even remember what the case was. We're looking for some kind of a suspect. And I saw a guy, and I'm like, oh, well, it says it's this, you know, it's tied to this kid, but he's like 17, he doesn't look like a criminal. It's whatever. I'm like, this can't be the guy. Two days later, that was in fact the kid running this like ring of things. And one, that was a bias issue for me, uh cognitive bias, thinking like, oh, young upstand, upstanding citizen, teenager, definitely not old or qualified enough to do this kind of bad guy activity. So that was a very early career cognitive bias check. And that's part of why I'm so supportive of uh, you know, analytic skills and things that you have to do as an investigator. But also, like, I didn't know that that was relevant two days prior. And if I had, or if I deleted that, it would never have taken me back to really confirm that he was the guy. So definitely hang on to everything until the end. Yeah, I mean, really reporting, structuring, investigating, it's kind of whatever works best for you and like your attention span too. Because I know some people, if you get into, you know, listen, you start going down rabbit holes, all of a sudden it's like nine hours later and it's dark out and you haven't eaten two meals and nobody knows where you are. So, you know, it's really kind of a personal thing.
SPEAKER_00That bit of a tangent, that's my that's my mom. She loves doing non-le like just like somebody'll say, Who who is this person? And then all of a sudden, three hours later, she's like, I found them. And she's been on social media all day searching, and yeah. So uh amazing.
SPEAKER_01That's fantastic, doesn't work.
SPEAKER_00Apply that to an investigator, and yeah, you're talking days now, and they forgot what you know, now they forgot what day it was. So okay, so we have covered a lot of stuff, and we I have to get you back on for like we should just promote a series once your uh doctorate is done, because I that sounds really interesting, and you've touched on a lot of things that now I've got to go research and I'll forget what day it is. But if you had to close up here at the end with kind of a suggestion or how to get started or what to look for as a conclusion, what would that be?
SPEAKER_01If you're interested in getting started in OSINT, there's kind of two things that I always recommend. One is train and learn whatever you can wherever you're interested. Not every area of OSINT is the same. And there are people that are maritime OSINT experts, like Ray Baker. She wrote the book Deep Dive, cannot recommend that enough. That's her specialty. She did cover a lot more than that, obviously, in the book, but that is what she's known for. There's cryptocurrency, there's the dark web. And if you don't, if you've never done the dark web, just learn first before you touch it, just to protect yourself. But it's really not that big and dark and scary. Everybody, I think it's kind of overblown. But you know, there's there's cryptocurrency, there's social media, there's all these different areas of interest for people. There's aviation tracking. I mean, some of the stuff I see in like flight spotter groups are mind-blowing with how much knowledge these civilian non-aviation personnel have. So figure out what it is that you like and follow and learn that first. And then you'll continue to learn more as you branch out from there. Um, when we're talking about like education and just fundamental knowledge, know how to get it on your own first before you start relying on all of the tools. Again, that is how you know whether the tools are working or not. If you don't know where data comes from and how it comes into existence and how you would find it on your own, you don't know how to double check that the tool is correct, if it gives you an answer or if it doesn't give you an answer. Um, and you don't know how to validate and verify that for it to hold up wherever you're looking, right? And so that's kind of the first piece. And then while we're talking about training, there are there are some certifications out there and they're good. But I would not hang your hat on having to have a certification if you want to get into the field. 99% of organizations are not requiring a certificate or a certification of any sort to start a job. Now, if you're looking at things like the DOD, they're gonna look for like OBC, their OSIMP basic course, or like OS301302. Those are kind of your limitations, like where that's like the one time you can't waive that. But private sector, all of the other industries, they want to see that you can do the job. They don't necessarily care about certifications. So if you're looking at a SANS certificate and it's they're phenomenal training, I cannot speak highly enough about them, but it's very expensive. Um, do not let the financial aspect be a hurdle to learning because there are so many places where you can get really great free education that doesn't cost you nine or $10,000. Um, and again, that's not discounting. They have, they're so valuable. They're really, really good at what they do, but they can they're just out of um affordability for a lot of people. So don't let the budget hold you back. Don't let the, oh, I didn't get a certificate hold me back. Do what you need to do, get into the free communities. LinkedIn's great, Discord is great. Reddit even has some decent, like interesting OSINT chats there sometimes. And make friends and network because the networking you can do is the best thing. Everyone, like I said, is gonna have their own specialties and their own batches of knowledge. And you never know when those are gonna be relevant or come up. You know, if I have an art case, there's a guy that I called because he used to work on the art scene in New York, and that is my go-to art guy. And you never think, oh, I need an art guy. You never think, oh, I need a bomb guy. But when there's a pile of wires in a photo, you're like, let me send this to the bomb guy just to make sure that I know what I'm looking at and that it's not a bomb. So I think those are probably, I don't know if that really summed anything up, but you don't have to have money to get into OSINT. You just have to have passion and be curious and want to learn. And that learning really never stops.
SPEAKER_00Yeah. The that's the important thing for forensics or any investigative work. Be curious and uh continue learning because technology as well.
SPEAKER_01It changes every day.
SPEAKER_00Oh, and and not to talk about AI and every single thing, but it's only accelerating it because it's just oh, I want to create this thing or change this thing, and AI will just do it for you.
SPEAKER_01Yeah, I mean, look. It may do it correctly, it may do it incorrectly, it may do it with gaps and holes, but it'll do it.
SPEAKER_00Yeah, exactly. Uh Jessica, thank you uh so much. And I do want to get you on after you finish your dissertation because that sounds super awesome. And let's talk about it, especially the framework you're developing. But I want to thank you again for jumping on and talking with us. Always appreciate it. I love your work.
SPEAKER_01Yeah, absolutely. It's been a pleasure. Thanks so much for having me on.
SPEAKER_00All right.