OSINT for beginners, without the LARP

The OSINT scene has a cosplay problem. There's a whole aesthetic now, dark terminal, a wall of tool logos, "I found him in 4 minutes," and almost none of it is the actual work. The actual work is boring, careful, and mostly about not lying to yourself.

Collection is the easy 20%. Anyone can run a username through a checker and get 50 green hits. The 80% that matters is deciding which of those hits is the same human, what you can defend, and what you're quietly assuming. That's the part the tutorials skip, because watching someone agonize over whether two accounts are really the same person doesn't make for a good thumbnail.

Attribution is the whole game

The single most common beginner failure is the false positive. You find "j_martin" on GitHub, "j_martin" on Reddit, "j_martin" on a leaked forum dump, and your brain staples them into one person. Sometimes they are. Often they're three unrelated people who all wanted a common handle in 2014.

Treat every link as a hypothesis until something corroborates it. A shared username is weak. A shared username plus a reused profile photo plus a writing tic that shows up in both places starts to be something. One signal is a guess. Independent signals that agree are an investigation. Write down which one you have, because under pressure you will forget the difference and present a guess as a finding.

This matters operationally because false attribution has consequences. In a corporate investigation it gets the wrong employee fired. In journalism it gets a correction and a lawsuit. The discipline of marking inference as inference is not pedantry, it's the thing that keeps you from doing real damage.

Your own opsec comes first

If you're looking at someone, assume they can look back. The number of beginners who recon a target while logged into their personal Instagram is genuinely alarming. LinkedIn will tell the target you viewed their profile. A "who viewed me" feature on some platform will burn you. Joining a small Telegram group to read it puts your account in the member list.

So before any of the fun stuff: a clean browser profile with no extensions tied to your identity, a sock puppet you've aged and made plausible (a day-old account with no friends and a stock photo fools nobody), and a habit of never, ever, touching a target from a real account. The investigation that compromises the investigator is a failure even if it finds the answer.

Archive like the page is about to vanish

Because it is. Profiles get deleted, tweets get pulled, the one post that matters gets edited the day after you read it. If your evidence is a screenshot with no URL and no timestamp, it's worthless the moment anyone challenges it.

Snapshot to the Wayback Machine when you can, save locally with a date when you can't, and record the URL every single time. "I saw it, trust me" is not OSINT. The capture, with provenance, is the deliverable. Everything else is just browsing.

The tools matter least

People want a tool list. Fine: a browser, maintained sock puppets, the Wayback Machine, and a notes file with timestamps will carry you through most real work. Specialized recon frameworks and paid aggregators are real and useful, but they're force multipliers on a method you don't have yet. Buying SpiderFoot before you can run a clean attribution chain is like buying a faster car before you can drive. You'll just reach the wall sooner.

If you want to see the method done well rather than performed for views, the people worth watching are the ones who show their reasoning, not just their results. They pause on the "is this actually the same person" question instead of speedrunning past it. That instinct, the willingness to be slow and to say "I'm not sure yet," is the entire skill. The tools are downstream of it.