Why For Today’s Cyber Investigations We Need to Combine Intelligence Disciplines

Intelligence professionals and investigators often like to jokingly debate about which intelligence discipline is the most valuable of them all, or which one was the one that ultimately cracked the case. The answer always seems to be crystal clear for them: The one they specialize in, of course.


The truth is: it depends. While some view intelligence disciplines as separate from one another and sometimes competing, we view them as complementary. We believe in the power of inter-disciplinary knowledge. And we believe in the power of combining and supplementing intelligence collection disciplines with one another and create a powerful combination, when appropriate.


criminal hacker

But there is another truth to this debate: intelligence disciplines are always evolving… …and so are crimes. The environment of criminal investigations has changed dramatically within the past few years. Today’s criminals are tech savvy and regularly misuse modern online tools and platforms for their criminal agenda. A vast amount of crimes today are either committed entirely online, or include a significant degree of online activity, communications, tools and platforms. That means there is also plenty of evidence that can be found through traces left on the internet. Sadly, these online trails are often ignored or underutilized by investigators, either due to lack of training, practice, or mindset. At the same time, criminals make sure to educate themselves, exchange information and tactics with one another, and hide better online and offline.


Investigators can and should follow those digital trails. They should be equipped with the knowledge and skills necessary to take advantage of the intelligence they can collect online. And they should know the methodologies and tools involved in this process. But are they adequately prepared to do so? What are the necessary skills? Are they trying to play a new game with old tricks?

The environment of criminal investigations has changed dramatically within the past few years. Today’s criminals are tech savvy and regularly misuse modern online tools and platforms for their criminal agenda.

There are three disciplines that fit together like bread, butter, and honey in criminal investigations. These are Open Source Intelligence (OSINT), Social Media Intelligence (SOCMINT) and Human Intelligence (HUMINT). Combining the three has the potential to take someone from researching a subject/case to engaging overtly or covertly with key people in a highly effective manner. To explain how, we will start from the first and fundamental discipline (the bread): Open source intelligence.


Open Source Intelligence (OSINT)

The internet is a goldmine of information. Information that is publicly available and therefore, in most jurisdictions, fair game and legal to use in an investigation. You can find anything from transportation methods and schedules of your target, to their actual physical location, whereabouts, and anything else the internet has made available. There are 1000 secrets hidden there, but let us start with the first one: OSINT is more than well-crafted Google searches that bring to the surface the gold nuggets of information you need. It is a mindset, and the best tool is your brain. In an investigative context, you use OSINT techniques to uncover pieces of evidence that relate to your case or target. And then you use your investigative and analytical mindset, to make these pieces of evidence lead to more pieces of the puzzle, until you have a (mostly) full, substantiated story.


Social Media Intelligence (SOCMINT)

Social Media Intelligence refers to information collection through the social networking platforms that your target person, group, or their associates use. This is a sub-discipline of OSINT that presents you with a variety of handy options. Through SOCMINT, an investigator can not only get access to hard data, but also to intuitive (or inferred) intelligence, or even use social media as a tool for (inter)active reconnaissance in some case scenarios.


For example: A target’s profile picture can be used in a reverse image search to yield more social media profiles or open up other online resources relating to your subject. Automated network analysis or an interaction analysis can be performed on their social media connections to establish the target’s close relationships and key figures in their inner circle. Specific pieces of information can be used as gateways to more connecting information sources.


Personal details are also found in abundance. And with a little bit of training and research into your target’s profile, you can create a highly accurate personality profile. This can include information readily observable, such as your target’s hobbies, routines, locations, etc. or intelligence derived from educated inferences based on human psychology. The latter can include your target’s personality characteristics, wants, motives, insecurities and driving forces (all of which can be inferred with a high degree of success rate by not-so-obvious behavioral traces that unnoticeably leak through the target’s online behavior). We do not recommend attempting this without proper training. But knowing the profiling matrix of your target is usually invaluable when the time comes to interact with them.


This leads us to the phase of…


Human Intelligence (HUMINT)

The oldest intelligence discipline, HUMINT, refers to the collection of information through human sources – in written or spoken form. Human intelligence is still very relevant and valuable in the cyber domain. Some information is simply not going to be found online through OSINT, SOCMINT, or other intelligence disciplines. This is where HUMINT comes in, to help fill in the gaps, or elicit information that have the potential to solve a case.


At the same time, OSINT and SOCMINT can be used as supporting disciplines when an investigator’s or intelligence professional’s ultimate goal is to be able to effectively interact with a suspect and either infiltrate a group, recruit the target, draw a confession or conduct other primarily HUMINT-related activities. These activities can happen overtly or covertly. Some sources provide information knowingly and others have no clue that they reveal important information or are not aware to who they provide the information to. In the case of a covert HUMINT operation, you will most probably have to create fake social media account (a sock puppet). Knowing your subject’s profiling matrix and the social networks your target is active in is crucial for creating a sock puppet that is made to convince and work with a target.



In summary, combining OSINT, SOCMINT and HUMINT can be a highly effective intelligence collection approach for modern investigations. Each discipline alone is powerful, but combined they intensify the value and provide investigators with a sophisticated toolset for challenging investigations.


This potential was our primary motivation when we (Christina Lekati & Samual Lolagar) decided to join our specializations and create a course that would provide attendees with the knowledge and skills necessary to take advantage of the above intelligence collection opportunities. Our course “Fundamentals of Cyber Investigations and Human Intelligence” is now ready and will be taught as an online class on the 26th of November. You can find all the relevant information and enroll at: https://fcihi.teachable.com/p/signup

Welcome to the world of secrets that love to hide in plain sight! We hope to see you in class and show you how to find them.