SEC487: Open-Source Intelligence (OSINT) Gathering and Analysis

GOSI GIAC Open Source Intelligence 

A foundational course in open-source intelligence (OSINT) gathering that teaches students how to find, collect, and analyse data from the Internet. This course provides the OSINT groundwork knowledge for students to be successful in their fields and enforces that knowledge with over 20 hands-on exercises.

The amount of data being pushed to the Internet each minute is staggering. Hundreds of hours of video, hundreds of thousands of images, and more text than can be indexed with a search engine. Couple that massive amount of data with websites that restrict access, those on unindexed servers, and data in the dark web, and you will quickly understand that gaining a strong foundation in how to search, collect, and analyze data from Internet-facing platforms no matter where they are located is important. This is what SEC487 does. It starts with how to collect and analyze data and quickly moves into teaching techniques to gain access to and then to harvest content from websites. It touches on a broad array of Open-Source Intelligence (OSINT) topics from setting up an OSINT analysis platform to accessing the dark web. It is an entry-level course that is far from basic and will empower students to seek, find, and use data from sources around the world. If you are relying on search engine indexes to find and gather data, its a guarantee that youre missing information. SEC487 is a foundational course in open-source intelligence (OSINT) gathering that teaches students how to find, collect, and analyze data from the Internet. Far from being a beginner class, this course teaches students the OSINT groundwork to be successful in finding and using online information, reinforced with over 25 hands-on exercises.

What You Will Learn
This is a foundational course in open-source intelligence (OSINT) gathering that will move quickly through many areas of the field. While the course is an entry point for people wanting to learn about OSINT, the concepts and tools taught are far from basic. The goal is to provide the foundational knowledge for students to be successful in their fields, whether they are cyber defenders, threat intelligence analysts, private investigators, insurance fraud investigators, intelligence analysts, law enforcement personnel, or people who are curious about OSINT.

Many people think that using their favorite Internet search engine is enough to find the data they need to do their work, without realizing that most of the Internet is not indexed by search engines. SEC487 teaches students effective methods to find the unlinked data. You will learn real-world skills and techniques to scour the massive amounts of data found on the Internet. Once you have this information, SEC487 will show you how to ensure that it is corroborated, how to analyze what you gathered, and how to make sure it is useful to your customers.

With over 25 real-world exercises using the live Internet and dark web to reinforce the course material, and with quizzes and other activities to test knowledge, the SEC487 course does not just provide you materials but also helps you learn them. The course teaches students how to use specific tools and techniques to accomplish their investigative goals, focusing on processes through flow charts that map out procedures for most of the course techniques.

This Course Will Prepare You To:

• Create an OSINT process
• Conduct OSINT investigations in support of a wide range of customers
• Understand the data collection life cycle
• Create a secure platform for data collection
• Analyze customer collection requirements
• Capture and record data
• Create sock puppet accounts
• Harvest web data
• Perform searches for people
• Access social media data
• Assess a remote location using online cameras and maps
• Examine geolocated social media
• Research businesses
• Collect data from the dark web

What You Will Receive with This Course:

• A Digital Download Package with a custom Linux virtual machine. Labs will be run from this platform.
• An electronic workbook (inside the virtual machine) containing interactive labs.

Syllabus (36 CPEs)

SEC487.1: Foundations of OSINT

SEC487.2: Core OSINT Skills

SEC487.3: People Investigations

SEC487.4: Website, Domain, and IP Investigations

SEC487.5: Business and Dark Web OSINT

SEC487.6: Capstone: Capture (and Present) the Flags

GIAC Open Source Intelligence
“As the first and only non-vendor specific, industry-wide OSINT certification, the GIAC Open Source Intelligence (GOSI) certification represents a huge milestone in the worlds of open source intelligence and cyber reconnaissance. It creates a marker from which students can be recognized for their achievements and competence in the OSINT field of study. Whether they are performing social media analysis of a target or just “fancy googling,” the GOSI certification shows they have a strong foundation in OSINT.” -  Micah Hoffman, SEC487 Course Author

• Open Source Intelligence Methodologies and Frameworks
• OSINT Data Collection, Analysis, and Reporting
• Harvesting Data from the Dark Web

Prerequisites
Basic computer knowledge is required for this course.

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

A properly configured system is required for each student participating in this course. Before coming to class, carefully read and follow these instructions exactly.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run the VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

It is necessary to fully update your host operating system prior to the class to ensure you have the right drivers and patches installed to utilize the latest USB 3.0 devices.

Those who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

You also must have 8 GB of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64-bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

Download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Other virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies. Please disable these capabilities for the duration of the class, if they are enabled on your system.

MANDATORY SEC487 SYSTEM REQUIREMENTS:

CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: a 64-bit system processor is mandatory)
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
RAM: 8 GB (gigabytes) of RAM or higher is mandatory for this course (Important - Please Read: 8 GB of RAM or higher is mandatory)
Wireless Ethernet 802.11 G/N/AC
USB 3.0 port (courseware provided via USB)
Disk: 30 gigabytes of free disk space
VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+ or Fusion 11.5+
Privileged access to the host operating system with the ability to disable security tools

A Linux virtual machine will be provided in class
Your course media will be delivered via download. The media files for class can be large, some in the 10-15 GB range. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form. Additionally, certain classes are using an electronic workbook in addition to the PDFs. The number of classes using eWorkbooks will grow quickly. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises.

Author Statement
"I have always been intrigued by the types and amount of data that are available on the Internet. From researching the best restaurants in a foreign town to watching people via video cameras, it all fascinates me. As the Internet evolved, more high-quality, real-time resources became available and every day was like a holiday, with new and wondrous tools and sites coming online and freely accessible.

"At a certain point, I was no longer in awe of the great resources on the web and, instead, transitioned to being surprised that people would post images of themselves performing illegal acts or in compromising positions, or that a user profile would contain such explicit, detailed content. My wonder shifted to concern for these people. What I found was that, if you looked in the right places, you could find almost anything about a person, a network, or a company. Piecing together seemingly random pieces of data into meaningful stories became my passion and, ultimately, the reason for this course.

"I recognized that the barrier to creating excellent open-source intelligence reports was not that there was no free data on the Internet. It was that there was too much data on the Internet. The challenge transitioned from 'how do I find something' to 'how do I find only what I need.' This course was born from this need to help others learn the tools and techniques to effectively gather and analyze OSINT data from the Internet." - Micah Hoffman

Ways to Learn
 OnDemand
Study and prepare for GIAC Certification with four months of online access to SANS OnDemand courses. Includes labs and exercises, and SME support.

 Live Online
Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

 In Person (6 days)
Training events and topical summits feature presentations and courses in classrooms around the world.

Who Should Attend SEC487?
This course will teach you novel, creative techniques to find data on the Internet, whether you are trying to find suspects for a legal investigation, identify candidates to fill a job position, gather hosts for a penetration test, or search for honey tokens as a defender.

While this list is far from complete, the OSINT topics in SEC487 will be helpful to:

OSINT Investigators
Cyber Incident Responders
Cyber Threat Intelligence Analysts
Digital Forensics (DFIR) Analysts
Financial Crimes Investigators
Human Resources Personnel
Insurance Investigators
Intelligence Personnel
Law Enforcement
Penetration/Offensive Security Testers
Private Investigators
Recruiters/Sourcers
Security Awareness Staff