ZeroTrace OSINT
OPSEC for OSINT
How to investigate without leaking your investigation back to the subject — the operational-security checklist for serious work.
OSINT is asymmetric: the subject of your investigation almost always has fewer ways to detect you than you have to detect them. But "almost always" is not "never." For investigations that matter, the operational-security discipline below keeps your investigation from leaking back to the subject.
The cost of a leak
A leaked investigation has three classes of consequence:
- The subject changes behaviour. They take down content, lock down accounts, scrub artefacts. Your investigation goes cold.
- The subject identifies you. Now they can investigate you. For sensitive cases (whistleblower investigations, organised-crime reporting, hostile-due-diligence) this is dangerous.
- The subject takes pre-emptive action. Legal threats, harassment, retaliation — all of which can shut down the investigation before it concludes.
The defence against all three is not leaving fingerprints in the first place.
Layer 1 — Network identity
| Consideration | Practice |
|---|---|
| Your IP | Investigate from an IP that is not associated with your real identity. A commercial VPN works for most cases; a dedicated residential proxy or rented VPS works for higher-stakes ones. |
| Your DNS | DNS queries reveal what domains you visit even when traffic is encrypted. Confirm your VPN is pushing its own DNS and run the VPN detection tool to verify. |
| Your timezone | Browser timezone often leaks via WebRTC and JS APIs. Match your investigation browser to the VPN exit's timezone for sensitive cases. |
| Your ASN reputation | Some sites block traffic from datacenter ASNs. Investigations may need a residential proxy for authentic-traffic visibility. |
Layer 2 — Browser identity
| Consideration | Practice |
|---|---|
| Browser fingerprint | A fingerprint-resistant browser (Tor Browser, Mullvad Browser, Brave with strong protections) reduces the entropy of your visit. |
| Cookies and localStorage | Use a fresh profile per investigation, or use containerised tabs (Firefox Multi-Account Containers) to keep investigation traffic separate from your daily browsing. |
| JavaScript | When inspecting a hostile page, JS-disabled is safest. Many tools (the toolkit's Wayback archive) let you read content without executing the page's JS. |
| Referer headers | Some browsers leak the referer; configure your investigation browser to suppress it or use the toolkit's network tools (which never send a referer the target can read). |
Layer 3 — Application identity
| Consideration | Practice |
|---|---|
| Account-based logins | Never log into a personal account on a target's site. Create a separate research account if a logged-in view is needed and authorised. |
| CAPTCHA solving | A real solved CAPTCHA tells the site that some human visited. Avoid unless the target's account-bearing data is the actual investigation goal. |
| Search-engine queries | Google / Bing queries are logged against your IP. Use a privacy-respecting search (DuckDuckGo, Brave Search) for investigation queries; better still, use pastebin search and direct fetches via the toolkit. |
| Direct-message contact | Never reach out to the subject from your real identity unless that contact is part of an authorised investigation (e.g., right-of-reply for a journalist). |
Layer 4 — The toolkit itself
| Consideration | Practice |
|---|---|
| What the toolkit fetches | Every external call from the toolkit goes from your machine over your configured network. Your VPN / proxy applies to those calls. |
| What the toolkit stores | Everything stays on your machine. The only outbound call ZeroTrace itself sees is the periodic license-validation handshake — it does not include the queries you ran. |
| Source attribution | Every tool result names which public sources contributed. For sensitive cases, audit those sources before the run — some public sources retain query logs. |
The toolkit is designed so that the only person who knows what you searched for is you. But each public source you query has its own logging policy. For investigations where even the fact of the query is sensitive, prefer sources known for low logging (or use cached data via the Wayback archive).
Layer 5 — The artefact
| Consideration | Practice |
|---|---|
| PDF metadata | The toolkit's exported PDFs include the profile name and your local timestamp. For published reports, scrub or replace these before distribution. |
| Screenshots | If you screenshot results outside the toolkit, your screenshot tool may include EXIF, your OS may include the user account name in the filename. Strip metadata before sharing. |
| File names | A filename like target-acme-corp-investigation.pdf tells anyone who sees the file — even just on your desktop — what you are working on. Use neutral names for files in transit. |
A simple checklist
Before any sensitive investigation:
- VPN running and verified leak-free.
- Investigation browser open, separate from your daily browsing.
- Investigation profile open in the toolkit.
- Notes saved locally; nothing synced to a cloud you do not control.
- After the session: lock the toolkit, close the browser, leave the VPN running until any pending tool calls finish.
When OPSEC is not the constraint
Not every investigation needs the full discipline above. For routine due-diligence on public companies, for SOC triage on internal IPs, for verifying a publicly-claimed fact — the standard discipline (use the toolkit, pin findings, don't talk to the subject) is sufficient.
The full discipline kicks in for:
- Investigative reporting on hostile subjects.
- Counter-intelligence against an active threat.
- Cases where retaliation is a realistic possibility.
- Cases where the subject is technically sophisticated.
For everything else, the toolkit's defaults are fine.