SEC537: Practical OSINT Analysis and Automation

This course teaches practical open-source intelligence (OSINT) analysis and automation techniques. You will learn tradecraft tips, tactics, techniques, and procedures based on real-world examples that will enable you to carry out in-depth OSINT analysis of groups, image and video verification, and OSINT operations security, as well as understand the foundations of automating OSINT with Python.

What You Will Learn
SEC537 is a two-day course on open-source intelligence (OSINT) for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. The course teaches effective methods and techniques for the identification of sensitive groups, image and video verification, browser operations security (OPSEC), and network traffic analysis and Python for OSINT purposes. You will learn OSINT skills and techniques that law enforcement, private investigators, journalists, penetration testers, and network defenders use in order to keep a low profile while scouring the Internet. You will also learn how to analyze groups to make a more in-depth OSINT analysis. As the Internet is becoming more and more of a multimedia platform, you will learn how to fact-check and verify images and video footage.

On the first course day you will learn practical OSINT analysis by completing eight hands-on labs about browser OPSEC, searching sensitive groups, image and video verification, and network traffic analysis for OSINT. On day two we'll move on to eight new labs on Python coding that cover Python fundamentals, requesting and parsing JSON, making web calls, making DNS requests, and extracting EXIF data.

What You Will Receive With This Course

• Physical and digital workbooks
• Virtual Machine tailored to the course

This Course Will Prepare You To

• Take a deeper dive into finding, collecting, and analyzing information found on the Internet
• Debug, understand, alter, and create your own OSINT-focused Python scripts

Hands-On Labs

The hands-on labs will teach you how to become more adept at finding, collecting, and analyzing OSINT information. The labs draw on practical, real-world examples. Each lab has step-by-step instructions that enable you to learn new OSINT skills or become even more knowledgeable and skilled with the OSINT techniques and procedures you already know.

Syllabus (12 CPEs)
SEC537.1: Practical OSINT Analysis

SEC537.2: Practical OSINT Analysis with Python

Prerequisites

• Basic knowledge and experience with OSINT and how it is used
• Knowledge of how to use a Virtual Machine
• Prior completion of the SEC487 OSINT course is helpful but not required

Laptop Requirements
Important! Bring your own system configured according to these instructions!

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will likely leave the class unsatisfied because you will not be able to participate in hands-on exercises that are essential to this course. Therefore, we strongly urge you to arrive with a system meeting all the requirements specified for the course.

Host Operating System: Latest version of Windows 10, macOS 10.15.x or later, or Linux that also can install and run VMware virtualization products described below. Note: Apple systems using the M1 processor cannot perform the necessary virtualization at this time and cannot be used for this course.

It is necessary to fully update your host operating system prior to the class to ensure that you have the right drivers and patches installed to utilize the latest USB 3.0 devices.

Students who use a Linux host must also be able to access exFAT partitions using the appropriate kernel or FUSE modules.

Students also must have 8 gigabytes of RAM or higher for the VM to function properly in the class.

It is critical that your CPU and operating system support 64 bit so that our 64-bit guest virtual machine will run on your laptop.

In addition to having 64-bit-capable hardware, AMD-V, Intel VT-x, or the equivalent must be enabled in BIOS/UEFI.

You must download and install either VMware Workstation Pro 15.5.x, VMware Player 15.5.x, or Fusion 11.5.x or higher versions before class. If you do not own a licensed copy of VMware Workstation or Fusion, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial on its website.

Other types of virtualization software, such as VirtualBox and Hyper-V, are not appropriate because of compatibility and troubleshooting problems you might encounter during class.

VMware Workstation Pro and VMware Player on Windows 10 is not compatible with Windows 10 Credential Guard and Device Guard technologies.

MANDATORY SEC537 SYSTEM REQUIREMENTS

CPU: 64-bit 2.0+ GHz processor or higher-based system is mandatory for this course (Important - Please Read: a 64-bit system processor is mandatory)
BIOS/UEFI: VT-x, AMD-V, or the equivalent must be enabled in the BIOS/UEFI
RAM: 8 gigabytes of RAM or higher is mandatory for this course (Important - Please Read: 8 gigabytes of RAM or higher is mandatory)
Wireless Ethernet 802.11 G/N/AC
USB 3.0 port (courseware provided via USB)
Disk: 30 gigabytes of free disk space
VMware Workstation Pro 15.5.X+, VMware Player 15.5.X+, or Fusion 11.5+
Privileged access to the host operating system with the ability to disable security tools
A Linux virtual machine will be provided in class
Your course media will be delivered via download. The media files for class can be large, roughly 40-50 gigabytes in size. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Waiting until the night before the class starts to begin your download has a high probability of failure.

SANS has begun providing printed materials in PDF form, and this class uses an electronic workbook in addition to the PDFs. In this new environment, we have found that a second monitor and/or a tablet device can be useful for keeping the class materials visible while the instructor is presenting or while you are working on lab exercises

Author Statement
"After I first learned the fundamentals of OSINT a few decades ago, there were no practical and in-depth OSINT courses where I could learn more advanced techniques. I have co-developed this course to fill that gap and need. In SEC537 you will learn advanced OSINT techniques, drawing on practical techniques and tradecraft tips from the course authors' years of field experience. The hands-on labs are designed to mimic real-world case examples full of tools and tradecraft techniques. This course is designed by OSINT professionals for OSINT professionals who need to learn those in-depth and advanced OSINT analysis and automation techniques." - Nico Dekens

"OSINT is a powerful tool in our investigations, but there can be challenges in handling the volume of data that we encounter. Automation is a critical part of efficiently collecting and processing our data into OSINT. While commercial tools can help, you will encounter edge cases or limitations of tools that require a solution tailored to your environment and specific workflow needs. In some cases, data may be accessible via API calls. Whatever the case, Python is an excellent choice to address OSINT automation needs. Python has a robust and supportive user community and there are many OSINT projects readily available that are written in Python. Whether you adapt something that is available, add a new module to an existing framework, or write something entirely new, Python is an essential skill for OSINT." - David Mashburn

Ways to Learn

• Live Online
• Live, interactive sessions with SANS instructors over the course of one or more weeks, at times convenient to students worldwide.

Who Should Attend SEC537?
Open-Source Intelligence and All-Source Analysts
Law Enforcement Personnel
Military Personnel
Private Investigators
Insurance Claims Investigators
Intelligence Analysts
Journalists
Researchers
Social Engineers
Digital Forensics Analysts
Cyber Threat Intelligence Responders