ZeroTrace OSINT
Running an Investigation
The repeatable shape of an OSINT investigation — from "I have a name" to "I have a sourced report."
Every investigation worth shipping follows roughly the same shape. The toolkit is built around that shape; this page is the explicit version of it.
The five phases
| Phase | Goal | Toolkit features |
|---|---|---|
| Scope | Decide what question the investigation answers | Profile naming, notes |
| Collect | Gather raw findings against the question | Tools, pivots, bulk paste |
| Verify | Confirm or dismiss each finding | Severity / status tagging |
| Synthesise | Build the argument that connects the findings | Notes, finding selection |
| Deliver | Produce the artefact (report / brief / memo) | PDF / Markdown / JSON export |
Most investigations skip phases or merge them. That is fine for casual work. For investigations that have to defend themselves to an editor, a court, or a regulator, every phase is necessary.
Phase 1 — Scope
Before opening any tool, write down:
- The question. "Is X the same person as Y?" or "What is the corporate ownership graph of Z?" or "Did this domain appear in any breach last year?". One sentence.
- The audience. Who reads the deliverable. The audience determines the format and the level of technical depth.
- The scope boundary. What the investigation does not cover. As important as the positive scope.
- The success criterion. How you know the investigation is done.
Open a profile named for the investigation. Paste the four lines above into the profile's notes.
This phase takes ten minutes and saves hours later. Investigations that skip it tend to sprawl until the investigator runs out of energy rather than finishing.
Phase 2 — Collect
The collection phase is where the toolkit shines. Open the right tool for the input you have:
- A name → person investigation composer.
- A domain → WHOIS, then DNS, then site analysis.
- An IP → IP geolocation, then ASN, then reputation.
- A photo → image metadata, then geo clues, then reverse image.
Pin every finding to the profile. Pivot from each finding to the next tool. Repeat.
For collection, the discipline is: pin too much rather than too little. The toolkit's tagging and filtering will let you separate the signal later. Findings you did not pin cannot be recovered.
Collection has natural stopping points. When the pivots stop producing new entities, when every domain has been WHOIS'd and every IP has been ASN'd, the collection phase is done. If the answer is not yet there, the question may need re-scoping rather than more collection.
Phase 3 — Verify
Verification is where investigations stop being "data gathering" and start being "evidence."
For each finding:
- Confirm severity. Severity is your judgment about importance to the answer. info / low / medium / high / critical.
- Confirm status. confirmed (verified through second source or independent reasoning) / pending (captured but not yet validated) / dismissed (false positive).
- Tag. Aggressive tagging now makes the synthesis phase fast.
Verification is also where the pivot graph does its second-pass work. A finding that depends on another finding cross-reference: re-pivot from the source finding to confirm.
Phase 4 — Synthesise
Synthesis is where you write. Open the profile's notes. Use Markdown.
Structure the notes around the question you wrote in phase 1:
- The question, restated.
- The headline answer.
- The chain of reasoning that supports the answer.
- The findings that anchor each step in the chain.
- The findings that contradict the answer, if any, and why you concluded the answer despite them.
The notes are the argument. The findings are the evidence. The combination is the report.
Phase 5 — Deliver
Export the profile as PDF (for human readers) or Markdown (for editor handoff) or JSON (for automation).
For PDF deliverables:
- Set severity correctly across all findings — the export groups by severity.
- Mark dismissed findings — they stay in the profile, they do not appear in the export.
- Tag aggressively — tags appear in the export and help the reader navigate.
- Write the executive-summary notes (phase 4) — they appear at the top of the PDF.
The PDF is the artefact that goes to the audience. Once it ships, the investigation is done.
What to do with the profile after delivery
Keep it. Profiles are local files; they cost nothing to keep. Six months later, when a related question comes up, the saved searches in the profile re-run with one click and tell you what has changed.
Anti-patterns
A short list of the things that go wrong most often:
| Anti-pattern | Why it bites |
|---|---|
| Skipping the scope phase | Investigation sprawls; deliverable lacks focus |
| Not pinning findings | "I saw something interesting but I cannot find it now" |
| Skipping severity tagging | PDF export is unreadable; audience cannot find the headline |
| Confirming findings against the same source twice | Two confirmations from the same source are one confirmation. Diversify. |
| Investigating outside the question | Curiosity is the enemy of completion. Track unrelated finds in a separate profile. |
| Not exporting | An investigation that does not produce an artefact may as well not have happened. |
When to stop
The investigation is done when:
- Every finding required to answer the question is pinned and confirmed.
- The answer is written up in the profile's notes.
- The export passes a "would I be comfortable handing this to my hardest critic" check.
Investigations expand to fill the time available. Setting an explicit "done" criterion in phase 1 — and meeting it in phase 4 — is what makes investigations ship.