OSINT Toolkit Essentials
BLUF
This guide catalogs the essential OSINT tools for intelligence analysts, investigative journalists, and researchers operating in the contemporary information environment. The toolkit has stabilized somewhat since the 2014–2022 period when new capabilities emerged monthly — the core set documented here represents the tools that have survived operational use and remain actively maintained. Every tool listed is either free, freemium, or subscription-based with transparent pricing; nothing here requires intelligence-agency access or paid-access closed platforms. Tool choice matters less than methodology (see Source Verification Framework); the best tools poorly applied produce worse results than basic tools rigorously applied.
Mapping and Geolocation
Primary
| Tool | Purpose | Cost | OPSEC |
|---|---|---|---|
| Google Earth Pro | Historical satellite imagery; 3D buildings; measurements | Free | Google surveils queries |
| Google Maps Street View | Ground-level verification; time slider | Free | Google surveils queries |
| Yandex Maps | Superior Russia/CIS coverage | Free | Yandex surveils queries |
| Bing Maps | Alternative satellite coverage; sometimes newer imagery | Free | Microsoft surveils queries |
| OpenStreetMap | Community-maintained; strong conflict zone coverage | Free | Low-profile queries |
| Mapillary | Crowdsourced street-level imagery | Free | Meta-owned; tracks queries |
OPSEC note: Any query to Google/Yandex/Bing is logged and associable with your identity (via IP, cookies, account). For sensitive operations, use VPN + private browsing; or better, offline maps (OsmAnd on mobile).
Specialized Geolocation
- SunCalc.net — Shadow-based time/date calculation
- Pic2Map — Basic EXIF extraction for location
- Google Earth Timelapse — Satellite imagery over decades; useful for infrastructure development tracking
- Sentinel Hub EO Browser — Free ESA satellite imagery archive; excellent for large-scale or historical questions
- Planet Labs Education — Limited free tier; daily 3–5m imagery of the whole Earth
See: Geolocation Methodology for how to apply these tools.
Image and Video Verification
Reverse Image Search
| Tool | Strength |
|---|---|
| Yandex Images | Best for conflict-zone imagery — frequently identifies images Western engines cannot |
| Google Images | Broad coverage; good for Western-origin images |
| TinEye | Oldest reverse image search; good for earliest instance detection |
| Bing Visual Search | Alternative coverage |
Practice: Always run at least two engines. A hit on Yandex but not Google often indicates Russian or Eastern European original source.
Metadata Analysis
- ExifTool (command line) — definitive EXIF/XMP metadata extraction
- Metadata2Go — web-based EXIF viewer (upload image to third party — OPSEC consideration)
- InVID / WeVerify — video-specific plugin suite for Chrome; keyframe extraction, reverse search on frames, metadata analysis
Deepfake Detection
| Tool | Notes |
|---|---|
| Deepware Scanner | Web-based deepfake detector |
| Reality Defender | Commercial service; enterprise pricing |
| AI or Not | Consumer-grade detection |
Reality check: Detection is structurally one generation behind generation. Treat any detection result as probabilistic. Absence of detection is not proof of authenticity.
Social Media Intelligence
Twitter / X
- Native advanced search — still works for basic queries; rate limits aggressive
- TweetDeck (now X Pro, subscription) — monitoring multiple accounts
- Memo (memo.tw) — archival search for deleted tweets (limited)
- Twint / snscrape — open-source scrapers; frequently broken by API changes
Telegram
- TGStat — channel analytics and search
- Telethon (Python) — programmatic Telegram access for OSINT pipelines
- Telegago (Google custom search for Telegram) — workaround for Telegram’s poor search
Facebook / Instagram
- Who Posted What (whopostedwhat.com) — date-filtered Facebook search
- Facebook Graph Search — largely killed by Meta; limited alternatives
- Instagram Stories Anonymous Viewers — multiple tools; OPSEC-variable quality
TikTok
- TikTok native search — surprisingly robust for public content
- TikTok Analytics Tools — commercial services for engagement analysis
- Use with VPN to avoid geographic filtering
Cross-Platform Tools
- Hoaxy — tracks URL propagation across platforms
- CrowdTangle — RIP (Meta discontinued 2024); replacement tools less capable
Financial and Corporate Intelligence
Corporate Registries
- OpenCorporates — 200+ million company records globally; free basic search
- OffshoreLeaks Database (ICIJ) — Panama Papers + Paradise Papers + Pandora Papers searchable database
- EDGAR (SEC.gov) — US public company filings
- Companies House (gov.uk) — UK corporate records
Sanctions Lists
- OFAC SDN List (US Treasury)
- EU Consolidated Sanctions List
- OpenSanctions — unified global sanctions search
- UN Security Council Consolidated List
Financial Flow
- Hetman — beneficial ownership research
- Investigative Dashboard (ICIJ-related) — cross-reference corporate data
Maritime, Aviation, and Transportation
ADS-B Flight Tracking
| Tool | Access | API | Key Strength | Analytical Value |
|---|---|---|---|---|
| ADS-B Exchange | Free (community) | REST (no key for basic) | No filtering — includes military, gov, private jets FR24 blocks | Highest — only source that captures sensitive military callsigns |
| OpenSky Network | Free (register for 4,000 req/day vs 400 anon) | REST + Python SDK | Academic/EU-hosted; full historical state vectors | High — batch historical analysis; Python-native pipeline integration |
| FlightAware AeroAPI | Free tier (500 req/mo) | REST | Good tail-number lookup | Medium — supplementary to above two |
| Flightradar24 | Freemium; API enterprise-only | REST (paid) | Consumer UX; filters sensitive aircraft | Low for intelligence work — use ADS-B Exchange instead |
Registration: OpenSky Network — opensky-network.org/index.php?option=com_users&view=registration
Python SDK: pip install opensky-api — enables programmatic state vector queries and historical track reconstruction.
Analytical pattern — military callsign detection: Query ADS-B Exchange for bounding box over active conflict zone; filter callsigns starting with known military prefixes (USAF RCH, JAKE; IDF IAF; Russian RFF, RSD). Cross-reference against Sentinel-1 SAR imagery of same AOI for corroborating ground activity.
AIS Maritime Tracking
| Tool | Access | API | Key Strength |
|---|---|---|---|
| Global Fishing Watch | Free (register) | REST v3 (Bearer token) | Dark vessel detection; AIS gap events; fishing effort rasters — all open |
| MarineTraffic | Freemium; API paid (~$200/mo+) | REST | Most complete AIS database; web interface free for basic lookups |
| VesselFinder | Freemium; API paid | REST | Alternative to MarineTraffic; similar coverage |
| AIS Hub | Community | UDP/REST | Raw AIS data aggregator; useful paired with local RTL-SDR receiver |
Registration: Global Fishing Watch — globalfishingwatch.org/our-apis/
API token: Free after registration; store in Proton Pass under pia/api-keys.
Dark fleet detection pattern: Query GFW for event_type=ais_gap + flag_state=RUS|IRN|PRK. Vessels going dark for >6h in international waters require AIS; absence is the intelligence signal. Cross-reference gap location with Sentinel-1 SAR imagery to detect vessel wake without AIS.
RTL-SDR option: A ~$30 RTL-SDR dongle + dump1090 (ADS-B, 1090 MHz) or aisdecoder (AIS, 161.975/162.025 MHz) enables passive reception of raw signals locally — useful near ports or flight corridors for unfiltered, unlogged collection.
Rail / Logistics
- Less systematic coverage — country-specific sources; significant OSINT gap for Russia/China rail intelligence
- Russia: Yandex Maps satellite + Sentinel-2 time-series is the primary open-source substitute for rail monitoring (equipment concentrations, staging areas visible at 10m)
- China: Planet Labs (education tier) or Sentinel-2 for rail/logistics hub monitoring
GEOINT & Satellite Imagery
Free Open-Access Satellite Sources
| Source | Resolution | Revisit | Coverage | Key Use |
|---|---|---|---|---|
| Sentinel-1 (SAR) | 10–20m | 6–12 days | Global | Cloud/night-independent; detects vehicle concentrations, ship wakes, construction. Most important open-source GEOINT capability. |
| Sentinel-2 (optical) | 10m | 5 days | Global | Visual confirmation; vegetation, urban damage assessment |
| Landsat 8/9 | 15–30m | 16 days | Global | Historical archive from 1972; change detection over decades |
| MODIS (Terra/Aqua) | 250m–1km | Daily | Global | Real-time fire/smoke; large-scale atmospheric events |
| GOES (NOAA) | 0.5–2km | 5–15 min | Americas/Pacific | Near-real-time weather; fires; maritime weather context |
Access Portals
| Portal | What It Provides | Registration |
|---|---|---|
Sentinel Hub EO Browser (apps.sentinel-hub.com/eo-browser) | S1+S2+Landsat+MODIS in one browser; free 30,000 processing units/mo | dataspace.copernicus.eu — Copernicus Data Space account |
NASA Worldview (worldview.earthdata.nasa.gov) | Near-real-time MODIS/VIIRS; fire, aerosol, storm overlays | None — fully open |
USGS Earth Explorer (earthexplorer.usgs.gov) | Landsat archive back to 1972; free download | Free USGS account |
Copernicus Dataspace (dataspace.copernicus.eu) | Full Sentinel catalog + STAC API; programmatic bulk download | Free registration |
| Zoom.earth | Near-real-time GOES/Himawari; weather overlays; quick SA | None |
| Planet Labs Education | 3–5m optical, daily global; limited scenes | Application required |
Registration: Copernicus Data Space (covers all Sentinel access) — dataspace.copernicus.eu
SAR (Sentinel-1) — Analytical Notes
SAR (Synthetic Aperture Radar) is the most analytically powerful free satellite capability for conflict-zone monitoring:
- Cloud/night-independent — functions when optical is blocked (jungle, overcast, night operations)
- Bright returns = rough surfaces, metallic objects (armor, vehicles, shipping containers, buildings)
- Dark areas = calm water, smooth ground, open fields, radar shadow
- Ship wake detection — persistent SAR bright lines on calm water even if vessel has no AIS
- Infrastructure change — compare two S1 scenes 6–12 days apart; construction, demolition, and troop staging are visible
Band combo guidance for S2 optical:
- TRUE_COLOR — baseline visual
- FALSE_COLOR (NIR/Red/Green) — vegetation health; distinguishes agricultural from urban damage
- SWIR — burn scars, active fires, soil moisture
Programmatic Access
# sentinelsat — download Sentinel scenes programmatically
from sentinelsat import SentinelAPI
api = SentinelAPI(user, password, 'https://apihub.copernicus.eu/apihub')
products = api.query(
area_of_interest, # WKT polygon
date=('20241001', '20241015'),
platformname='Sentinel-1',
producttype='GRD'
)
api.download_all(products)Install: pip install sentinelsat
Credentials: Copernicus Data Space account (same as EO Browser).
Commercial / Premium Satellite (Reference)
| Provider | Resolution | Access | Notes |
|---|---|---|---|
| Planet Labs | 3–5m | Education free; commercial $5k+/yr | Daily global; best commercial open option |
| Maxar | <0.5m | Commercial | Sub-meter; requires partner or significant budget |
| Capella / Umbra | SAR, 0.5m+ | Commercial; improving API access | High-res SAR; useful for denied-area ops |
| SkyFi | Varies | Per-image marketplace | Order specific AOI images on demand; lower commitment than subscription |
Assessment: For the current PIA OSINT stack, Sentinel-1 + Sentinel-2 via EO Browser covers ~90% of open-source satellite intelligence requirements at zero cost. Commercial providers add value only for sub-10m resolution requirements on specific high-priority targets.
Integration with Active Investigations
When a crisis note is active in 04 Current Crises/, satellite collection follows this workflow:
- Define AOI bounding box for the crisis theater
- Query EO Browser for latest S1 GRD scene (cloud-independent baseline)
- Query for S2 scene within ±3 days (optical visual confirmation)
- Document acquisition date, cloud cover, and key observations in the crisis note
- Screenshot key areas + note coordinates for reproducibility
- Cross-reference with ADS-B Exchange and GFW vessel data for the same AOI and timeframe
See: geoint-bridge-spec-2026-05-14 — planned MCP server for automated GEOINT queries.
Infrastructure and Cyber
Internet Infrastructure
- Shodan — Internet-facing device search; subscription for full features
- Censys — alternative to Shodan
- FOFA — Chinese equivalent; different coverage
- Wigle — WiFi network geolocation
Domain / DNS
- WhoisXML API — domain registration history (paid)
- DomainTools — alternative (paid)
- Passive DNS via various providers
- crt.sh — Certificate Transparency logs (free)
- DNSdumpster — free DNS reconnaissance
Malware and Threat Intelligence
- VirusTotal — aggregated malware scanning
- Hybrid Analysis — malware sandbox reports
- AlienVault OTX — threat indicator sharing
- MISP — open-source threat intelligence platform
Archives and Research
Web Archiving
- Wayback Machine (web.archive.org) — Internet Archive’s historical captures
- Archive.today — alternative archive (avoids some robots.txt issues)
- Google Cache — supplementary (being deprecated)
Practice: Archive any source you cite. Links rot; adversaries delete content. Archives give evidentiary permanence.
Academic and Document
- Scholar (scholar.google.com) — academic paper search
- Semantic Scholar — AI-enhanced academic search
- Sci-Hub — ethically complex but operationally essential for closed-access papers
- Document Cloud — document hosting with OCR
Broadcast and Media Archives
- BBC Monitoring — paid; superlative international broadcast monitoring
- Internet Archive TV News — searchable US TV news transcripts
Communication and OPSEC
Secure Communication
- Signal — encrypted messaging; contacts tied to phone number
- Wire — encrypted messaging; no phone number required
- Proton Mail — encrypted email
- Session — decentralized encrypted messaging
Privacy Tools
- Tor Browser — anonymization; necessary for dark web research
- Tails OS — amnesic live operating system for high-sensitivity work
- Whonix — VM-based anonymity
- Mullvad / ProtonVPN — commercial VPN (mass-market use only; not for high-sensitivity work)
Digital Forensics
- Autopsy — forensic analysis of files/drives
- ExifTool — metadata forensics
- Volatility — memory forensics
- Maltego — link analysis and transforms
Dark Web Research
- Tor Browser — mandatory entry point
- Ahmia — clearnet-indexed hidden service search
- Dark Search Engines — Candle, Torch, etc. (quality varies)
OPSEC imperative: Dark web research requires disciplined OPSEC. Minimum: dedicated machine / VM; Tor-only network; no account associations with clearnet identity; physical and digital air-gaps as appropriate. Do not do casual dark web research from your primary device.
Workflow Integration
Recommended Pipeline
- Discovery — social media monitoring; RSS from source list; targeted searches
- Triage — quick evaluation: source reliability + information relevance
- Preservation — archive the source (Wayback Machine submission + local save)
- Verification — geolocation, chronolocation, metadata, reverse image search
- Analysis — integrate into existing knowledge structure; apply ACH
- Documentation — note with proper frontmatter, aliases, cross-links in the vault
n8n Workflow Automation
For routine monitoring (see n8n_ingest_workflow), automation can handle:
- Inoreader RSS ingestion — configured per Inoreader Pro — Collection Stack Configuration
- Frontmatter generation
- Obsidian inbox delivery
- Claude API summarization
- Signal Brief draft generation
Manual analyst work remains essential for verification, analysis, and judgment.
What Not to Use
Tools to be wary of:
- Paid OSINT platforms marketing to law enforcement — expensive; often wrap freely-available data; create evidentiary concerns in legal contexts
- AI-generated “intelligence briefs” — frequently hallucinate; should not be trusted for factual claims
- “Osint as a service” aggregators — may provide convenience but obscure source methodology and reliability
- Single-source “verified” feeds — no matter how reputable, single-sourcing violates triangulation discipline
Key Connections
- OSINT — the discipline
- Open-Source Intelligence Manual — operational methodology
- Geolocation Methodology — specific methodology for the geo tools
- Source Verification Framework — verification discipline
- Obsidian for Intelligence Analysis — the knowledge management layer
- Analysis of Competing Hypotheses — the analytical method
- geoint-bridge-spec-2026-05-14 — planned MCP server for ADS-B / AIS / satellite queries from Claude Code sessions
- n8n_geoint_opensky — n8n workflow: OpenSky ADS-B crisis monitor → vault inbox