Day-1 walkthrough — your first investigation profile in 20 minutes

The ZeroTrace OSINT toolkit ships with seventy-plus tools across eleven categories. That is a feature and a paralysis trigger. This walkthrough is the curated path that gets a brand-new analyst from "I just installed this" to "I have a finished investigation profile exported as a PDF" in twenty minutes.

The investigation profile is the unit of work. Tools are inputs to a profile; the profile is the deliverable. Once that pattern clicks, the rest of the toolkit becomes navigable.

---

What you need

• The ZeroTrace OSINT toolkit installed on your machine
• Twenty uninterrupted minutes
• A target you have a lawful reason to investigate (we will use a public well-known domain as the example)

---

Step 1 — Open a profile (2 minutes)

Launch the OSINT toolkit. From the dashboard, create a new investigation profile. Name it something descriptive — “day-1 walkthrough” works fine.

Every finding you collect from this point on will pin to this profile. The profile is the case file; the toolkit is the set of instruments you use to fill it.

---

Step 2 — Run your first tool (3 minutes)

Open the Command Palette with Ctrl+K (or Cmd+K on macOS). The Command Palette is how you navigate the toolkit — type the first few letters of any tool name and the palette finds it.

Type ip geo and pick the IP Geolocation tool. Run it against an IP address — pick something public, like an authoritative DNS server or a target domain you have lawful reason to investigate.

When the tool returns results, click add to profile. The finding is now pinned to your investigation profile with full provenance: which tool produced it, when, what the input was, what the output was.

---

Step 3 — Pivot to the next tool (5 minutes)

The whole point of an investigation toolkit, as opposed to a single tool, is that findings feed each other. The IP Geolocation tool surfaced an IP and a hosting context. The cross-tool pivot pattern is: take any finding, pivot it into another tool that takes that data type as input.

In the profile, click the IP entity you just pinned. The pivot menu surfaces every tool that takes an IP as input — reputation lookup, ASN lookup, reverse DNS, exposed-services check.

Pick the reverse DNS tool. Run it. Pin the result.

You have just done the unit operation of an investigation: one finding, one pivot, one new finding pinned to the profile. Repeat this pattern with two or three more pivots before moving on.

---

Step 4 — Add a different category of tool (3 minutes)

The toolkit is organised into eleven categories — Network & IP, Web Reconnaissance, User & Account Discovery, File & Hash Analysis, Geolocation, and others. To get a feel for the breadth, run something from a different category.

Open the Command Palette and type the start of any tool name from a category you have not used yet. Username permutator, file hash lookup, web reconnaissance — pick whichever one is useful for the target.

Run it. Pin findings. Notice that the tool's results include source attribution — every finding has provenance. If you ever need to defend a claim in your final report, the source is one click away.

---

Step 5 — Open the profile (2 minutes)

Now open your investigation profile. You should see a structured list of findings: each one tagged with the tool that produced it, the input that triggered it, and the source it came from.

Scan the profile. Notice that you do not need to remember which screenshot came from which tool — the profile remembers for you.

This is the difference between an OSINT toolkit and a folder of screenshots. The investigation lives in the profile, not in your browser tab history or your Slack thread.

---

Step 6 — Export to PDF (3 minutes)

From the profile, click export. The toolkit generates a dark-themed PDF report — structured, sourced, with every finding traceable back to the tool and source that produced it.

Open the PDF. This is the deliverable shape — the artefact that goes to a client, an editor, an editor-in-chief, an authorised stakeholder. Compare it to "a folder of screenshots in a Drive folder" and the difference is the entire point of the toolkit.

---

Step 7 — What changed (2 minutes)

Take stock before moving on:

• Your queries ran on your machine. None of them routed through a third-party API silently logging the searches you ran.
• Your findings live in a single investigation profile. If you came back to this case in three months, you would not need to reconstruct it from a Slack archive.
• You have a structured PDF report. The PDF is signed in the sense that the toolkit produced it from your provenance-tracked findings — anyone reviewing it can see where every claim came from.

This is the workflow. Every investigation, no matter how complex, is the same shape: open profile, run tool, pin finding, pivot, repeat, export.

---

Where to go next

1. Cross-tool pivots in depth. The pivot menu changes based on the entity type you click. Email entities pivot differently than IP entities, which pivot differently than usernames.
2. OPSEC-hardened workflows. Some tools have OPSEC variants (rate-limiting, obfuscation, intermediate proxies). For sensitive cases, see the OPSEC documentation for the tools you use most.
3. The Proxy suite. For investigations that require chaining requests, rotating providers, or running validation across infrastructure, the ZeroTrace Proxy suite plugs into the OSINT toolkit so chains output back into your investigation profile.

If any step felt rough, tell us in Discord. The investigation-profile workflow is what makes the toolkit cohere; if a new analyst's first attempt is anything other than a smooth twenty minutes, we want to know where the friction is.