Home / Articles / OSINT OPSEC Field Guide
Personal Security & Investigative Tradecraft

OSINT OPSEC Field Guide

Keeping your personal life and your investigative work separated, hardened, and hard to attribute.
A practical checklist built on one habit: compartmentalization.

picture_as_pdf

Get the free PDF guide

Sign in or create a free Forensic OSINT account to download the guide and the printable checklist. It is free, and takes less than a minute.

This is a working reference for anyone who does OSINT or investigative work and wants to keep their real identity separated from their research. Review and update it quarterly. Security is a habit, not a one-time setup.

01 Core Principles

Everything below is an application of a small number of ideas. Internalize these first.

  1. Compartmentalize. Use separate browsers, devices, and accounts for different life domains. Your personal life should never share a browser profile, email, or device with OSINT or investigative work. Why: a single slip-up, a logged-in account, an autofilled address, a synced bookmark, can bridge two identities that must stay unlinked.
  2. Security is a habit, not a project. There is no "done." Revisit accounts, permissions, and exposure on a recurring basis.
  3. Threat-model before you act. Ask two questions constantly: "What do I post online?" and "Who may want my information?"
  4. Gut-check before sharing. "What could a malicious actor do with this information?" Apply this filter to every photo, post, or form field before it goes out.
  5. Digital breadcrumbs. The more habitually private someone is, the harder they are to OSINT. It is habitual oversharing, not any single post, that makes a person easy to profile.

02 Personal Life Foundations

Baseline hygiene that applies whether or not you ever touch an investigation.

  1. Use a password manager (for example, Bitwarden) for everything.
  2. Build strong, unique passwords. Let your password manager generate long random passphrases (16+ characters), never reuse one across sites, and never build one from personal details, pet names, birthdays, sports teams, that already show up in your own social media.
  3. Enable two-factor authentication everywhere it is offered. Use an authenticator app or a hardware key (for example, YubiKey), not SMS. SMS codes are vulnerable to SIM-swapping. Store backup and recovery codes somewhere offline and secure.
  4. Set an alphanumeric phone passcode, not biometrics-only, and lock down app permissions and location access.
  5. Keep your OS, browser, and apps patched. Turn on automatic updates. Unpatched software is one of the most common entry points.
  6. Delete unused accounts properly. Assume everything you post on social media eventually goes public.
  7. Encrypt your disk. BitLocker on Windows, FileVault on Mac.
  8. Separate browsers by purpose. For example, Brave or Firefox for personal browsing; Chrome reserved only for OSINT work (or the reverse). The separation matters more than the specific tool.
  9. Cover your webcam and lock your screen every time you step away. Basic physical and device hygiene, not just passwords.
  10. Use incognito or private mode whenever you use someone else's computer.
  11. Google yourself. Search "Your Name" AND "City", and also search your employer's name alongside your own. Then opt out of people-search and data-broker sites using a burner email and phone.
  12. Audit your social media privacy settings. Set profiles to private, review your follower and friend lists, and disable public tagging. Do not rely on platform defaults.
  13. Harden your circle. Attackers often pivot through the least-secured person near you: family, coworkers, friends.
verified_user

Practice security by absence: delete unused accounts, apps, and software. You cannot get hacked through what you do not have.

03 What Not to Post

Common, easy-to-miss oversharing patterns. Each one gives an attacker or a researcher a free data point.

  1. Photo metadata (EXIF/GPS). Depending on the device, camera app, permissions, and settings, photos may include GPS coordinates, timestamps, and device information. Check for sensitive metadata before sharing, especially in original files or photos taken at private locations.
  2. Boarding pass photos. The barcode encodes your name, departure and destination airport, and airline.
  3. ID cards, work badges, office keys. All aid social engineering and physical pretexting.
  4. "On vacation" photos. Announces that a home is empty, in real time.
  5. Back-to-school signs and Halloween porch photos. Often leak a child's full name, school, grade, or the house number and street. Crop tightly or shoot against a neutral backdrop.
  6. Bumper stickers. Ask "what am I driving around with?" School, sports team, union, or veteran-status stickers can identify you and your routine.
report_problem

Social engineering example: something as innocuous as a "favourite band" answer in a casual post can be used to guess a security-question-based password reset.

Self-exposure checks

  1. Audit your public footprint. Search your name, email address, usernames, and common document titles to identify personal information or files that may be publicly accessible. Review sharing permissions on Google Drive, Dropbox, and similar services, and remove public access where it is not needed.
  2. Verify suspicious messages safely. Avoid opening unexpected links or attachments, even when a message appears urgent or comes from a familiar name. Confirm the sender through a separate channel, and inspect questionable links with a reputable URL-scanning service before visiting them.
  3. Monitor how your photos are being used. Periodically run reverse-image searches on profile photos and other identifiable images to find impersonation, unauthorized reposts, or scraped content. Report misuse and tighten privacy settings on the original accounts when necessary.

04 OSINT / Investigative Work Practices

Extra discipline layered on top of the personal-life baseline, specific to doing OSINT or investigative work.

Network & research hygiene

  1. Use dedicated sock-puppet accounts for research, never your personal or real-name accounts. Give each persona its own email, browser profile (or VM), and phone number where needed, and never log into a personal account from a research browser session, or vice versa.
  2. Use a VPN for OSINT work. Mask your investigative IP so targets and platforms cannot see your real location or ISP when you are researching them. Never research a subject on the same network session you use for personal browsing.
  3. Browse LinkedIn in private or anonymous mode when researching a subject. Otherwise your name or a generic profile shows up in their "who viewed your profile" list and tips them off.
groups

Why sock puppets matter: your personal accounts carry your real identity, browsing history, ad-tracking profile, and social graph. Logging into even one of them mid-investigation, even by accident, can expose you to the subject or link your real identity to the case.

Attribution resistance

  1. Seed deliberate disinformation. Spelling variants of your name, fake profiles, inconsistent locations and usernames, to make attribution across your accounts harder.
  2. Reduce unnecessary links between identities. Avoid reusing the same usernames, profile photos, bios, recovery details, or location information across personal and research accounts. Keep each persona's accounts, contact details, and browsing environment separate.
  3. Delete dormant accounts. Old social profiles, email accounts, and unused apps can expose personal information, be taken over, or help others connect your current identities. Close accounts you no longer need and revoke their access to other services.

05 Verification & Monitoring Toolkit

A recurring checklist of sites and tools to audit your own exposure.

PurposeToolNotes
Breach exposurehaveibeenpwned.comCheck current exposure and sign up for ongoing breach notifications.
Reverse image searchimages.google.com
tineye.com
yandex.com/images
Check whether your own photos have been reused or scraped elsewhere.
Browser fingerprintingcoveryourtracks.eff.org
amiunique.org
whoer.net
See how unique or trackable your browser configuration is.
App tracker & permission exposurereports.exodus-privacy.eu.orgAudits trackers embedded in mobile apps.
Terms of Service reviewtosdr.orgPlain-language summaries of what you are agreeing to.
Pull / delete your datajustgetmydata.com
justdeleteme.xyz
Request your data or find deletion instructions per service.
Messenger comparisonsecuremessagingapps.comCheck before adopting a new messaging app.
Self-monitoringGoogle AlertsSet an alert on your own name to get emailed on new mentions.
URL safety checkurlscan.ioInspect a suspicious link before clicking it.
Privacy-respecting searchsearch.brave.com
startpage.com
Use instead of Google or Bing for sensitive searches.
Browser privacy add-onsPrivacy Badger, Ghostery, User Agent SwitcherBlock trackers and reduce fingerprint uniqueness.

06 The Self-OSINT Workflow

A simple, repeatable three-step mental model. Run it on yourself the same way you would run it on a subject.

Digital Footprint
arrow_forward
Search Yourself
arrow_forward
Public Data Removal

Repeat this loop on a recurring schedule. Quarterly is reasonable. New data brokers and new posts by others continually reopen the gap you just closed.

07 Hardening Your Circle

You can lock down your own footprint perfectly and still be exposed by someone else.

  1. Educate family, coworkers, and friends. Attackers often pivot through the weakest-secured person near you rather than attacking you directly.
  2. Assume others will post about you. Tagged photos, shared contact lists, and casual mentions by people in your circle can undo your own opsec entirely.
smart_display

Reference for sharing with family and friends: the "Data to Go" video is a good non-technical explainer for why their habits affect your exposure too.

"Data to Go" is a short, non-technical explainer on how everyday oversharing exposes you and the people around you.
One-page OSINT OPSEC checklist previewzoom_in Click to enlarge
Companion checklist

Take the checklist with you

Every practice in this guide, condensed to a single printable page. Tick each item off, keep it by your desk, and run through it again every quarter.

Want this as a PDF?

Create a free Forensic OSINT account to download the full field guide and the printable checklist, print-ready and yours to keep.

More Articles →

Minimum Requirements:

  • 8 Characters
  • 1 Upper
  • 1 Lower
  • 1 Digit