Repeatable, documented methodology for OSINT work. A framework tells you what to do, in what order, and — critically — when to stop. These are the patterns I return to for every investigation, regardless of starting data.
Every OSINT investigation I run, regardless of starting data or complexity, goes through this sequence. The order matters — it establishes a record of progressive discovery and prevents scope creep.
Write a single sentence: what specific claim are you trying to verify or refute? Not a topic — a question with a yes/no or specific answer. This sentence is the investigation's scope boundary.
List exactly what you have before you begin: domain name, email address, username, image, phone number, name. Each data type has a specific pivot chain. Knowing what you have determines which tools open first.
Timestamped markdown file, before any tool is run. Every piece of evidence gets an entry: what you found, where you found it, the exact URL, and the date/time retrieved. OSINT evidence degrades. If you don't capture it now, it may be gone.
Each data type has a natural pivot sequence — domain → WHOIS → IP → hosting history → related domains. Follow the chain systematically. Document every pivot. Do not skip steps because they seem unlikely to yield results.
Return to the sentence you wrote in step 01. Can you answer it with the evidence collected? If yes — stop, write the summary, preserve the documentation. If no after reasonable effort — "insufficient public evidence to conclude" is a legitimate and honest finding.
Tracing who controls a website when registration is anonymized. The pivot chain: WHOIS → IP history → certificate records → reverse WHOIS → hosting history → Wayback Machine → related domains.
Building a picture from a single email address. The pivot chain: breach check → linked account discovery → username enumeration → social platform cross-reference → domain ownership if it's a custom domain.
Confirming the origin, date, and authenticity of a photograph or video. The pipeline: multi-engine reverse image search → EXIF extraction → ELA analysis → geolocation from visual context → timeline check against known events.
Running the same investigation against yourself that someone else could run. The self-audit pipeline: Google operators → social platform enumeration → data broker scan → people-search opt-out → ongoing monitoring setup.