OPSEC & OSINT — The Operator's Bible
Identity Compartmentalization · Counter-Surveillance · Digital Footprint Elimination · Open Source Weaponization
## Legal Disclaimer
**This guide is for educational purposes, authorized security research, and personal privacy protection only. Using OSINT techniques against individuals without consent, conducting unauthorized surveillance, or deploying counter-forensic measures to obstruct lawful investigations is illegal in most jurisdictions. The author assumes zero responsibility for misuse. Know your local laws before operationalizing any technique described herein.**
## Table of Contents
- [Operational Philosophy](#operational-philosophy)
- [The Threat Model](#the-threat-model)
- [Identity Compartmentalization & Burner Infrastructure](#identity-compartmentalization--burner-infrastructure)
- [Authentication & Credential Warfare](#authentication--credential-warfare)
- [Network Anonymity & Traffic Obfuscation](#network-anonymity--traffic-obfuscation)
- [Communications Security (COMSEC)](#communications-security-comsec)
- [Device Hardening & Full-Disk Encryption](#device-hardening--full-disk-encryption)
- [Browser Security & Anti-Fingerprinting](#browser-security--anti-fingerprinting)
- [Metadata, EXIF & Document Sanitization](#metadata-exif--document-sanitization)
- [Physical OPSEC & Counter-Surveillance](#physical-opsec--counter-surveillance)
- [OSINT: Weaponizing Open Source Intelligence](#osint-weaponizing-open-source-intelligence)
- [OSINT: Tool Arsenal & Automation](#osint-tool-arsenal--automation)
- [OSINT: Defensive Countermeasures](#osint-defensive-countermeasures)
- [Counter-Forensics & Anti-OSINT](#counter-forensics--anti-osint)
- [Digital Exhaust & Traffic Analysis](#digital-exhaust--traffic-analysis)
- [Data Broker & People-Search Site Opt-Out](#data-broker--people-search-site-opt-out)
- [Operational Workflows](#operational-workflows)
- [OPSEC Checklists](#opsec-checklists)
- [OPSEC Failures That Burned Operators](#opsec-failures-that-burned-operators)
- [References](#references)
## Operational Philosophy
OPSEC is not a product you buy. It is not a VPN subscription or a password manager. OPSEC is the systematic process of identifying, controlling, and eliminating the forensic indicators that link your operational activities to your real identity.
Every action generates metadata. Every metadata point is a correlation vector. The adversary — whether a nation-state, a corporate security team, or an OSINT collector — is assembling a graph. Your job is to ensure that graph has no edges connecting your operational persona to your real identity.
The five-step OPSEC cycle, drilled into every operator:
1. **Identify critical information** — What would compromise you if known? Real name, physical address, IP, device fingerprints, writing style, voice pattern, social graph.
2. **Analyze threats** — Who is collecting? Nation-state SIGINT? Corporate threat intel? Determined individual with OSINT tools? Each threat actor has different collection capabilities.
3. **Analyze vulnerabilities** — Where does your critical information leak? Unencrypted DNS? Browser fingerprinting? EXIF data on uploaded images? Payment trails? Cell tower pings?
4. **Assess risk** — Probability × Impact. A low-probability, catastrophic-impact event (nation-state unmasking) demands more rigorous controls than a high-probability, low-impact event (spam).
5. **Apply countermeasures** — Eliminate, reduce, or obfuscate the indicators. Then verify. Then verify again.
**The golden rule:** If you have to ask "is this a risk?" — it is. Default to paranoia. The operators who got burned are the ones who got comfortable.
## The Threat Model
Before you implement any control, define who you are defending against. Countermeasures that stop a corporate threat intel team are irrelevant against a motivated nation-state adversary. Over-engineering your OPSEC for a low-level threat wastes resources. Under-engineering gets you caught.
### Threat Actor Tiers
| Tier | Actor | Capabilities | Collection Methods |
|------|-------|-------------|-------------------|
| **Tier 1** | Script kiddies, casual stalkers | Minimal. Google searches, basic OSINT tools, public databases. | Social media scraping, people-search sites, public records. |
| **Tier 2** | Corporate security, private investigators | Moderate. Paid databases (TLO, LexisNexis), commercial OSINT platforms, social engineering. | Data broker aggregation, credit headers, utility records, pretext calls. |
| **Tier 3** | Organized crime, advanced PI firms | Significant. Financial resources for surveillance, corrupt insiders, physical surveillance teams. | GPS tracking, trash covers, phone metadata analysis, human intelligence (HUMINT). |
| **Tier 4** | Nation-state intelligence agencies | Unlimited. SIGINT collection (upstream and downstream), lawful intercept, zero-day exploits, IMSI-catchers, cross-agency data fusion. | Passive: fiber taps, XKEYSCORE, cell-site simulators. Active: targeted malware, physical compromise, parallel construction. |
| **Tier 5** | Five Eyes / global passive adversary | Total. Long-term data retention, cross-border intelligence sharing, mass surveillance infrastructure, advanced traffic analysis at internet backbone scale. | Everything Tier 4 can do, plus: bulk collection, retroactive decryption (store-now-decrypt-later), AI-powered pattern-of-life analysis, supply chain interdiction. |
### Your Adversary Determines Your OPSEC Posture
- **Against Tier 1-2:** Strong password hygiene, VPN, minimal social media, metadata stripping, burner emails. Low friction. High success rate.
- **Against Tier 3:** Add cash-only transactions, zero personal-social-media presence, encrypted communications exclusively, no pattern-of-life predictability, countersurveillance routines.
- **Against Tier 4-5:** Add air-gapped devices, TAILS/QubesOS, Tor-only connectivity, dead-drop communications, zero electronic footprint linking operational persona to real identity. No exceptions. No mistakes. One slip and you're burned.
**Rule of thumb:** If you are not actively being targeted by Tier 4-5, do not build your OPSEC around that threat model — the operational friction is unsustainable. But know what it looks like, because if you ever graduate to that threat level, you need to have the playbook ready.
## Identity Compartmentalization & Burner Infrastructure
The foundation of operational security is identity separation. Your real identity and your operational identities must exist in separate digital universes with zero crossover — no shared credentials, no shared devices, no shared networks, no shared payment methods.
### Persona Construction
| Element | Real Identity | Operational Persona |
|---------|--------------|-------------------|
| **Name** | Legal name | Fabricated. Do not use random generators — construct a name that blends with the target demographic. Research common names for the persona's claimed nationality, age cohort, and region. |
| **Email** | Personal (Gmail, ProtonMail, etc.) | Burner. Created over Tor, verified with a burner phone number, never accessed from a non-operational IP. ProtonMail for encrypted, Tutanota for no-phone-signup, Guerrilla Mail for disposable. |
| **Phone** | Personal SIM, carrier-registered | Burner phone purchased with cash. No link to real identity. Prepaid SIM activated without ID (jurisdiction-dependent). Or: VOIP numbers via MySudo, BurnerApp, or Twilio. |
| **Payment** | Bank account, credit/debit cards | Cash. Privacy-focused cryptocurrency (Monero > Zcash > Bitcoin via mixer). Prepaid debit cards purchased with cash. Never link operational payment methods to real bank accounts. |
| **Address** | Home address | Virtual mailbox, PMB (Private Mailbox) service, or no physical address at all. If a shipping address is required, use a reshipping service or dead drop. |
| **Social Media** | Real accounts with real social graph | Fabricated accounts. Aged — buy or cultivate accounts months before operational use. Consistent posting history matching the persona. Followers and interactions that establish legitimacy. Never interact with your real accounts. |
| **Devices** | Personal laptop/phone | Dedicated operational devices. Never cross-contaminate. Burner laptop purchased with cash. Factory-reset, encrypted, booted from TAILS or a hardened OS. Never connects to home/work networks. |
| **Writing Style** | Natural voice | Altered. Different vocabulary, sentence structure, punctuation habits, and grammatical patterns. Stylometry is a real threat — advanced adversaries can identify authors by linguistic fingerprint alone. |
### Device Compartmentalization
Real Life Device Operational Device Target Interaction Device
(never used for ops) (air-gapped from real) (disposable, per-engagement)
┌──────────────┐ ┌──────────────┐ ┌──────────────┐
│ Personal │ │ TAILS USB │ │ Burner VM │
│ Laptop │ ╳ │ or QubesOS │ ╳ │ or VPS │
│ Phone │ │ Burner WiFi │ │ via Tor │
└──────────────┘ └──────────────┘ └──────────────┘
│ │ │
│ Never touches │ Never touches │ Disposable;
│ operational │ real identity │ destroyed
│ networks │ networks │ after use
**The crossover rule:** If any of these domains touch, your compartmentalization is broken. Rebuild from scratch.
### Building a Burner Identity — Step by Step
# 1. Acquire hardware — cash purchase, no loyalty cards, no surveillance cameras if possible
# Laptop: refurbished ThinkPad from cash-only seller or in-person, no receipt linked to you
# Phone: burner Android, cash purchase from a retailer without camera coverage
# 2. Create foundational accounts over Tor
# Boot TAILS or connect through at least Tor (socks5://127.0.0.1:9050)
# Navigate to ProtonMail or Tutanota
# Create account with fabricated name, burner phone number for verification
# 3. Acquire a VOIP/burner number for account verification
# Options: MySudo (iOS), BurnerApp, Twilio (programmatic), SMS-activate.org (temporary)
# Never use your real SIM. Never. This is the most common de-anonymization vector.
# 4. Age the accounts
# Do not use a fresh account for high-stakes operations
# Low-and-slow activity: follow accounts, post mundane content, build a pattern of life
# Minimum aging: 2-4 weeks for Tier 1-2 threats, 3+ months for Tier 3+
# 5. Acquire operational connectivity
# Option A: Public WiFi + long-range antenna + MAC randomization
# Option B: Tor (always) → VPN (optional, no-logs, paid with crypto)
# Option C: Compromised WiFi (wardriving) — illegal, use only in authorized testing
# Never: home WiFi, work WiFi, or any network linked to real identity
# 6. Verify compartmentalization before operational use
# Tools: ipleak.net, browserleaks.com, dnsleaktest.com, whoer.net
# Check: WebRTC leaks, DNS leaks, browser fingerprint uniqueness, timezone consistency
## Authentication & Credential Warfare
Passwords are the lock on the front door. Most operators get compromised not through 0-days or nation-state exploits, but through credential reuse, weak passwords, or phishing. This section covers the offensive and defensive sides of authentication.
### Password Generation & Management
# Generate a high-entropy password (128+ bits of entropy)
# Option 1: Diceware passphrase (7+ words)
# Example: "correct horse battery staple federal agency nuclear winter" = ~90 bits
# Use 8-10 words for >100 bits
# Option 2: pwgen with full character set
pwgen -s -y 32 1
# Output: 9K&mR2!xL@pQ5#vN7^wH8*jF3$dC6(aB
# Option 3: /dev/urandom + base64 (truly random)
head -c 32 /dev/urandom | base64 | tr -d '=+/\n'
# Output: q7XzL9mK2pR5vN8wB3jF6cQ1hT4yA0dG
| Manager | Threat Model | Notes |
|---------|-------------|-------|
| **KeePassXC** | Offline, local-only. No cloud sync attack surface. | Database stored on encrypted volume. Key file on separate device. Master password + key file = two-factor for the vault. |
| **Bitwarden (self-hosted)** | Cloud with self-host option. Open source, audited. | Use `vaultwarden` for lightweight self-hosting. TOTP built-in. |
| **pass (password-store)** | CLI-based, GPG-encrypted, git-synced. | Each password is a GPG-encrypted file. `pass insert opsec/email/burner1`. Sync via git over SSH. |
| **No manager (memorized)** | Maximum air-gap. Limited by human memory. | Diceware passphrases for critical keys (master password, GPG key, encrypted volume). Not scalable beyond 5-10 credentials. |
**What not to use:** LastPass (breached repeatedly, closed source), browser password managers (exposed to XSS, malware extraction), cloud-only proprietary managers without zero-knowledge encryption.
### Multi-Factor Authentication (MFA)
| Method | Security | Portability | Attack Vectors |
|--------|----------|------------|----------------|
| **TOTP (Authenticator apps)** | Good | Phone-dependent. Lose phone = lose codes unless backups exist. | Phishing (real-time relay), SIM swap (if SMS fallback enabled), malware on phone. |
| **FIDO2 / U2F Security Keys** (YubiKey, SoloKey) | Excellent | Physical key required. Carry backup. | Physical theft, supply chain (buy directly from manufacturer, verify firmware). |
| **SMS-based 2FA** | Trash | Universal but dangerous. | SIM swapping, SS7 interception, social engineering carrier support. Never use for operational accounts. |
| **Hardware TOTP** (YubiKey OATH, OnlyKey) | Excellent | Physical key stores TOTP secrets. | Same as FIDO2 keys. |
| **Biometrics** | Dangerous | Tied to your body. | Cannot be rotated. Compelled by law enforcement. Facial recognition databases. Fingerprints lifted from surfaces. Never use for operational accounts. |
# TOTP via CLI — no phone dependency
sudo apt install oathtool
# Generate TOTP for a given secret
oathtool --totp -b "JBSWY3DPEHPK3PXP"
# Store secrets in pass with otp extension
pass otp insert opsec/protonmail
pass otp opsec/protonmail
# Output: 482916
### SIM Swapping Defense
SIM swapping is the most common account takeover vector targeting Tier 1-3 operators. The attacker socially engineers your mobile carrier into transferring your number to their SIM. Once they have your number, they reset passwords on every account linked to it.
**Defense:**
1. Never use SMS-based 2FA on critical accounts. Migrate everything to TOTP or FIDO2.
2. Set a carrier PIN/port-out lock on your mobile account. Call your carrier and request it — most don't advertise this feature.
3. Use Google Fi or a carrier with hardware-based SIM protection.
4. Do not associate your operational phone number with any account that could de-anonymize you if compromised.
5. Consider not having a phone number at all. VOIP-only identities are harder to SIM swap — because there is no SIM.
### Credential Breach Monitoring
# Check if an email appears in breaches (via CLI)
# Using haveibeenpwned API (k-anonymity model — your full email never leaves your machine)
curl -s "https://api.pwnedpasswords.com/range/$(echo -n 'password123' | sha1sum | cut -c1-5)"
# Check if a password hash appears in breaches
# The API returns partial hash matches; the full hash never leaves your machine.
# grep the response for your full hash suffix.
# Self-hosted breach monitor: h8mail
pip install h8mail
h8mail -t target@email.com -bc /path/to/breach/compilation -o output.csv
## Network Anonymity & Traffic Obfuscation
Your IP address is the most persistent, hardest-to-spoof identifier on the internet. Every connection you make leaves a timestamped log entry at the destination server, your ISP, and potentially every autonomous system in between. Controlling this is foundational OPSEC.
### The Tor Ecosystem
Tor is the gold standard for low-latency anonymity. It is not perfect, but it is the best tool available.
# Install Tor and configure as SOCKS5 proxy
sudo apt install tor
sudo systemctl enable --now tor
# Verify Tor is running
curl --socks5-hostname 127.0.0.1:9050 https://check.torproject.org
# Transparent Tor routing via torsocks
torsocks curl https://api.ipify.org
# Output:
# Tor + SSH for remote sessions
torsocks ssh user@host.onion
**Tor limitations:**
- **Exit node monitoring:** Exit nodes can see unencrypted traffic. Always use HTTPS.
- **Traffic correlation:** A global passive adversary (Tier 5) can correlate traffic entering and exiting the Tor network through timing analysis. Against this threat, Tor is insufficient alone.
- **Browser fingerprinting:** Tor Browser standardizes fingerprints, but enabling JavaScript or changing window size can de-anonymize you.
- **Human error:** Most Tor de-anonymizations result from operator error — logging into real accounts over Tor, using the same device for real and Tor traffic, or failing to disable WebRTC.
### VPN Considerations
| Attribute | Requirement |
|-----------|------------|
| **Jurisdiction** | Outside Five Eyes (14 Eyes if possible). Panama, Switzerland, Romania, Malaysia, British Virgin Islands. |
| **No-logs policy** | Independently audited and court-tested. Policies on paper mean nothing — a court order reveals the truth. Mullvad, IVPN, ProtonVPN have been tested. |
| **Payment** | Cryptocurrency (Monero preferred). Gift cards purchased with cash. Never credit card, PayPal, or any method linked to real identity. |
| **Account creation** | Over Tor. Burner email. No real information. |
| **Kill switch** | Mandatory. Network lock that prevents any traffic outside the VPN tunnel. Test it: `iptables -L OUTPUT` should show only VPN interface rules. |
| **Connection protocol** | WireGuard > OpenVPN UDP > OpenVPN TCP. WireGuard has a smaller codebase, faster performance, and modern cryptography. |
| **DNS** | VPN-provided DNS only. Verify with `dig +short whoami.akamai.net` — should return VPN DNS resolver IP, not your ISP. |
### Multi-Hop Proxy Chains
A single VPN or Tor circuit is insufficient against Tier 3+ adversaries. Layering creates defense-in-depth.
# Proxy chain: You → Tor → VPN → Target
# This prevents Tor exit nodes from seeing your traffic and VPN from knowing your real IP.
# VPN provider sees: Tor exit node IP → target
# Tor exit node sees: encrypted VPN traffic
# 1. Start Tor (SOCKS5 on 127.0.0.1:9050)
sudo systemctl start tor
# 2. Connect VPN (creates tun0 interface)
sudo wg-quick up mullvad
# 3. Route traffic through both:
# Application → Tor SOCKS5 → VPN tunnel → Internet
# Tools like torsocks handle the Tor layer; the system routes Tor traffic through VPN
# Alternative: proxychains-ng with multiple hops
# /etc/proxychains4.conf:
# [ProxyList]
# socks5 127.0.0.1 9050 # Tor
# http 10.0.0.1 8080 # Your VPS proxy
# socks5 10.0.0.2 1080 # Another hop
proxychains4 -q nmap -sT -Pn target.com
graph LR
A[Operator] -->|Tor SOCKS5| B[Tor Network]
B -->|Exit Node| C[VPN Server]
C -->|Encrypted Tunnel| D[Internet]
D --> E[Target]
style A fill:#1a1a2e,stroke:#e94560
style B fill:#16213e,stroke:#0f3460
style C fill:#1a1a2e,stroke:#e94560
style D fill:#16213e,stroke:#0f3460
style E fill:#1a1a2e,stroke:#e94560
### MAC Address & Wi-Fi OPSEC
# Randomize MAC before connecting to any network
sudo ip link set dev wlan0 down
sudo macchanger -r wlan0
sudo ip link set dev wlan0 up
# Verify randomization
macchanger -s wlan0
# Persistent randomization (systemd)
# /etc/systemd/network/00-default.link:
# [Link]
# MACAddressPolicy=random
# Disable Wi-Fi when not actively in use
sudo ip link set dev wlan0 down
# Check for nearby networks (wardriving)
sudo airodump-ng wlan0mon
# The SSIDs in scan results can reveal your physical location history.
# Disable Wi-Fi when not needed — your device broadcasts probe requests for known networks.
### DNS OPSEC
DNS is the most overlooked leak vector. Default configurations send DNS queries in cleartext to your ISP's resolver. Every domain you resolve is logged and correlated with your IP.
# Test for DNS leaks
dig +short whoami.akamai.net
# Should return the DNS resolver's IP, not your ISP's
# DNS over HTTPS (DoH) — encrypted DNS
# Firefox: Settings → Network Settings → Enable DNS over HTTPS → Custom (NextDNS, Quad9, or self-hosted)
# DNS over TLS (DoT) — system-wide via stubby
sudo apt install stubby
# Configure /etc/stubby/stubby.yml with upstream resolvers
# DNSCrypt-proxy — encrypted + anonymized DNS
sudo apt install dnscrypt-proxy
# Routes DNS through multiple relays; resolver sees relay IP, not yours
# Verify encrypted DNS is working
# Wireshark filter: dns and not dns.flags.response == 0
# You should see no cleartext DNS traffic on port 53
## Communications Security (COMSEC)
Assume every communication channel is compromised until you prove otherwise. Default to end-to-end encryption with forward secrecy, and verify keys out-of-band.
### Encrypted Messaging Threat Matrix
| App | E2E Encryption | Forward Secrecy | Metadata Protection | Open Source | Anonymous Signup |
|-----|---------------|-----------------|---------------------|------------|------------------|
| **Signal** | Yes (Signal Protocol) | Yes (Double Ratchet) | Partial. Signal knows who messages whom and when. Sealed Sender partially mitigates. Requires phone number. | Yes | No (phone required) |
| **Matrix/Element** | Yes (Olm/Megolm) | Yes | Poor. Room membership, timestamps, and participant lists are visible to homeserver. | Yes | Yes (depending on homeserver) |
| **Session** | Yes (Signal Protocol fork) | Yes | Good. Onion-routed. No phone number required. | Yes | Yes |
| **Briar** | Yes (Bramble Transport) | Yes | Excellent. Peer-to-peer (Bluetooth/WiFi Direct/Tor). No central server. | Yes | Yes |
| **SimpleX Chat** | Yes | Yes | Excellent. No identifiers (no phone, no email, no username). Unidirectional message queues. | Yes | Yes |
| **Threema** | Yes | Yes | Good. No phone/email required. Swiss-based. | Yes | Yes (anonymous Threema ID) |
| **Telegram** | Only in "Secret Chats" | Only in Secret Chats | Poor. Default chats are server-side plaintext. | Yes (client), No (server) | No (phone required) |
| **WhatsApp** | Yes (Signal Protocol) | Yes | Poor. Facebook/Meta collects metadata aggressively: who, when, duration, IP, device. | No | No (phone required) |
| **iMessage** | Yes (Apple proprietary) | Yes | Poor. Apple can decrypt if iCloud Backup is enabled. Key server is Apple-controlled. | No | No (Apple ID required) |
| **Discord** | No | N/A | None. Everything is server-side plaintext. Discord reads all messages. | No | No |
**The rule:** If it's not open source, independently audited, and verifiably E2E-encrypted with forward secrecy — do not trust it with operational communications. Period.
### PGP/GPG for Email
# Generate a strong keypair (RSA 4096 or Ed25519)
gpg --full-generate-key
# Choose: ECC (sign and encrypt) → Curve 25519
# Or: RSA and RSA → 4096 bits
# Expiration: 1 year (you can extend later)
# Name: Your operational pseudonym
# Email: Your operational email
# Export public key for sharing
gpg --armor --export operational@proton.me > pubkey.asc
# Encrypt a message
echo "sensitive operational content" | gpg --encrypt --armor --recipient target@example.com
# Decrypt a message
gpg --decrypt encrypted.asc
# Sign a message (proves it came from you)
echo "this message is authentic" | gpg --clearsign
# Verify a signed message
gpg --verify signed.asc
# Web Key Directory (WKD) — publish your key for automatic discovery
# ProtonMail supports WKD natively. For custom domains:
mkdir -p .well-known/openpgpkey/example.com/hu/
gpg --export your-key-id > .well-known/openpgpkey/example.com/hu/
### Secure Voice & Video
| Tool | Security Model | Best For |
|------|---------------|----------|
| **Signal** | E2E encrypted voice/video via Signal Protocol. Gold standard for operational voice. | Phone-to-phone encrypted calls. Requires phone number but call content is secure. |
| **Jitsi Meet (self-hosted)** | WebRTC with DTLS-SRTP. Self-hosted = you control the server. No accounts required. | Group video conferences. Spin up a VPS, install Jitsi, burn it after the meeting. |
| **Mumble + Tor** | Low-latency voice chat. Connect over Tor for anonymity. Murmur server on .onion. | Push-to-talk voice for operational teams. Low bandwidth, low latency. |
| **Briar** | Peer-to-peer voice via Tor hidden services. No server, no metadata. | Maximum anonymity voice calls. Both parties must use Briar and be online simultaneously. |
## Device Hardening & Full-Disk Encryption
If an adversary gains physical access to your device, game over — unless your disk is encrypted and your operating system leaves no forensic residue.
### Operating System Selection
| OS | Threat Model | Notes |
|----|-------------|-------|
| **TAILS** | Tier 3-5 | Amnesic. Runs entirely from RAM. Nothing persists to disk unless explicitly saved to Persistent Storage. All traffic forced through Tor. Built-in MAC spoofing. Shutdown wipes RAM. |
| **QubesOS** | Tier 3-5 | Compartmentalization by virtualization. Each application runs in its own VM (qube). Compromised Firefox qube cannot access your GPG qube. Steep learning curve; extreme isolation. |
| **Whonix** | Tier 3-4 | Two-VM architecture: Gateway routes all traffic through Tor; Workstation is isolated. Can run on QubesOS, VirtualBox, or KVM. Prevents IP leaks even if Workstation is fully compromised. |
| **Kali Linux (hardened)** | Tier 1-3 | Penetration testing distro. Not secure by default. Requires manual hardening: disable unused services, firewall rules, encrypted disk, no telemetry. Use live USB with persistence rather than installed OS. |
| **Arch/Gentoo (hardened)** | Tier 2-3 | Full control. Minimal attack surface. Linux-hardened kernel with grsecurity/PaX patches where available. No bloatware. Build exactly what you need. |
| **macOS/Windows** | Tier 1 | Not recommended for operational use. Closed source, telemetry-heavy, subject to lawful intercept infrastructure, weak against forensic analysis. Use only if forced by operational requirements (target environment). |
### Full-Disk Encryption
# LUKS2 (Linux Unified Key Setup) — standard Linux FDE
# During OS installation or post-install:
# Encrypt an existing partition (DESTRUCTIVE — backup first)
sudo cryptsetup luksFormat --type luks2 /dev/sdX1
# Open encrypted volume
sudo cryptsetup open /dev/sdX1 cryptroot
# Create filesystem on decrypted mapper
sudo mkfs.ext4 /dev/mapper/cryptroot
# Use Argon2id for key derivation (resistant to GPU/ASIC attacks)
sudo cryptsetup luksFormat --type luks2 --pbkdf argon2id --pbkdf-memory 1048576 --pbkdf-parallel 4 /dev/sdX1
# Add a decoy passphrase (plausible deniability)
sudo cryptsetup luksAddKey /dev/sdX1
# --- VeraCrypt Hidden Volumes ---
# Plausible deniability: outer volume with decoy data, hidden volume with real data.
# If compelled to reveal passphrase, reveal outer volume. Hidden volume is undetectable.
# Create outer volume (standard VeraCrypt volume)
veracrypt -t -c /dev/sdX1 --volume-type=normal --encryption=aes --hash=sha-512 --filesystem=ext4
# Create hidden volume within outer volume
veracrypt -t -c /dev/sdX1 --volume-type=hidden --encryption=aes-twofish-serpent --hash=whirlpool --filesystem=ext4
### Anti-Forensic Configurations
# Disable swap (prevents memory pages from hitting disk)
sudo swapoff -a
# Remove swap partition from /etc/fstab
# Encrypt swap if you must have it
# /etc/crypttab:
# cryptswap /dev/sdX2 /dev/urandom cipher=aes-xts-plain64,size=512,swap
# Disable core dumps (prevents memory snapshots on crash)
echo "* hard core 0" | sudo tee -a /etc/security/limits.conf
echo "kernel.core_pattern=|/bin/false" | sudo tee -a /etc/sysctl.conf
# Disable system logging (if operational requirements allow)
sudo systemctl stop rsyslog
sudo systemctl disable rsyslog
# Mount /tmp as tmpfs (RAM only, wiped on reboot)
# /etc/fstab:
# tmpfs /tmp tmpfs defaults,noatime,nosuid,nodev,noexec,mode=1777,size=2G 0 0
# Secure deletion (overwrite and remove)
shred -vfz -n 7 /path/to/file
# -n 7: 7 passes (generally accepted as sufficient against all but electron microscope recovery)
# For SSDs: use blkdiscard or ATA Secure Erase instead (wear leveling makes shred unreliable)
## Browser Security & Anti-Fingerprinting
Your browser leaks more identifying information than any other application. Browser fingerprinting can uniquely identify you across sessions, even with cookies cleared and IP changed.
### What Your Browser Leaks
| Vector | Data Exposed | Mitigation |
|--------|-------------|------------|
| **User-Agent** | Browser, OS, version, device model | Standardize to a common fingerprint. Use Tor Browser's fingerprint. |
| **Screen Resolution** | Exact pixel dimensions, color depth | Do not maximize. Use standard dimensions (Tor Browser defaults to 1000x900 letterboxed). |
| **Installed Fonts** | Complete font list — highly unique | Restrict font enumeration. Firefox: `layout.css.font-visibility.level = 1` (base fonts only). |
| **WebGL** | GPU model, driver version, vendor | Disable WebGL. `webgl.disabled = true` in Firefox. |
| **Canvas Fingerprint** | Unique rendering of hidden canvas element | Tor Browser blocks canvas extraction. Firefox: `privacy.resistFingerprinting = true` (may break some sites). |
| **AudioContext** | Audio hardware fingerprint | Firefox: `privacy.resistFingerprinting = true` adds noise. Or disable entirely. |
| **Timezone** | UTC offset, DST observance | Match your VPN/proxy exit timezone. Firefox: `privacy.resistFingerprinting = true` forces UTC. |
| **Language/Accept-Language** | Browser language preferences | Standardize to `en-US,en;q=0.5`. |
| **WebRTC** | Local IP address (even behind VPN!) | Disable WebRTC. Firefox: `media.peerconnection.enabled = false`. |
| **Battery Status API** | Battery level, charging status — trackable | Firefox: `dom.battery.enabled = false`. |
| **Do Not Track** | DNT header value | Enable it — or disable it. Consistency matters more than the value. |
### Browser Hardening — Firefox (Operational Profile)
# Create a dedicated operational Firefox profile
firefox -ProfileManager -no-remote
# Create new profile: "opsec"
# about:config hardening (apply to operational profile):
# --- Anti-Fingerprinting ---
privacy.resistFingerprinting = true
privacy.resistFingerprinting.letterboxing = true
webgl.disabled = true
media.peerconnection.enabled = false
dom.battery.enabled = false
geo.enabled = false
dom.event.clipboardevents.enabled = false
# --- Tracking Protection ---
privacy.trackingprotection.enabled = true
privacy.trackingprotection.fingerprinting.enabled = true
privacy.trackingprotection.cryptomining.enabled = true
network.cookie.cookieBehavior = 1 # Block third-party cookies
network.cookie.lifetimePolicy = 2 # Session-only cookies
# --- Network ---
network.proxy.type = 1 # Manual proxy
network.proxy.socks = 127.0.0.1
network.proxy.socks_port = 9050 # Tor SOCKS5 port
network.proxy.socks_remote_dns = true # DNS through Tor
network.trr.mode = 2 # DNS over HTTPS
network.trr.uri = https://dns.quad9.net/dns-query
# --- Privacy ---
browser.send_pings = false
browser.safebrowsing.downloads.remote.enabled = false
browser.safebrowsing.phishing.enabled = false # Prevents URL submission to Google
browser.sessionhistory.max_entries = 2
browser.cache.disk.enable = false
browser.cache.memory.enable = true
browser.privatebrowsing.autostart = true # Always private browsing
# --- Disable Telemetry ---
datareporting.healthreport.uploadEnabled = false
toolkit.telemetry.enabled = false
browser.newtabpage.activity-stream.feeds.telemetry = false
browser.ping-centre.telemetry = false
# --- Security ---
security.ssl.require_safe_negotiation = true
security.tls.version.min = 3 # TLS 1.3 minimum
### Browser Fingerprint Verification
Test your operational browser against these sites **before** conducting any operational activity:
| Test | URL | What It Checks |
|------|-----|---------------|
| **EFF Cover Your Tracks** | https://coveryourtracks.eff.org/ | Comprehensive fingerprint: canvas, WebGL, fonts, screen, plugins. Reports uniqueness. |
| **BrowserLeaks** | https://browserleaks.com/ | Detailed leaks: WebRTC IP, canvas, fonts, geolocation, WebGL, SSL/TLS fingerprint. |
| **IPLeak** | https://ipleak.net/ | IP, DNS, WebRTC leaks. |
| **Whoer** | https://whoer.net/ | Composite anonymity score. Checks IP, DNS, timezone, language consistency. |
| **DNS Leak Test** | https://dnsleaktest.com/ | Confirms DNS queries are routed through your proxy, not your ISP. |
| **AmiUnique** | https://amiunique.org/ | Browser fingerprint uniqueness against their database. |
If any test reveals your real IP, your DNS resolver, or a unique fingerprint — do not proceed. Fix the leak first.
## Metadata, EXIF & Document Sanitization
Every digital file carries forensic baggage. Photos embed GPS coordinates and camera serial numbers. PDFs embed author names and creation timestamps. Word documents track editing history and usernames. Sanitize everything before it leaves your control.
### EXIF Data — The Silent Tracker
# View EXIF data in an image
exiftool photo.jpg
# Look for:
# GPS Latitude / GPS Longitude — EXACT LOCATION of the photo
# Camera Serial Number — ties to specific device
# Date/Time Original — proves when you were at the location
# Software — reveals editing tools and version
# Make / Model — camera/phone model
# Strip all EXIF data
exiftool -all= -overwrite_original photo.jpg
# Strip selectively (keep orientation for correct display)
exiftool -all= -tagsfromfile @ -Orientation -overwrite_original photo.jpg
# Verify no metadata remains
exiftool photo.jpg
# Should output only: ExifTool Version Number, File Name, Directory, File Size, etc.
# No GPS, no camera info, no timestamps
# Batch strip entire directory
exiftool -all= -overwrite_original -r /path/to/images/
# --- Other File Types ---
# PDF metadata
exiftool document.pdf
# Strips: Author, Creator, CreationDate, ModDate, Producer
exiftool -all= -overwrite_original document.pdf
# Office documents (DOCX, XLSX, PPTX — these are ZIP files)
# Extract, manually scrub docProps/core.xml and docProps/app.xml, repack
# Or use: mat2 (Metadata Anonymisation Toolkit)
mat2 --inplace document.docx
# Audio files (MP3, FLAC)
exiftool -all= -overwrite_original recording.mp3
# Video files
exiftool -all= -overwrite_original video.mp4
# Wipe file timestamps (creation, access, modification)
touch -t 202001010000 file.txt # Set to Jan 1, 2020 00:00
### MAT2 — Automated Metadata Removal
# Install MAT2
sudo apt install mat2
# Clean a file (supports: png, jpg, pdf, docx, xlsx, pptx, odt, mp3, flac, ogg, avi, mp4, and more)
mat2 sensitive_document.pdf
# Clean in-place (overwrite original)
mat2 --inplace sensitive_document.pdf
# Check if a file is clean (no metadata)
mat2 --check sensitive_document.pdf
# Clean all files in a directory
mat2 --inplace /path/to/operational/files/*
### Document Origin Tracking
Beyond metadata, documents can be fingerprinted by content:
| Vector | Detection | Mitigation |
|--------|-----------|------------|
| **Printer steganography** | Laser printers embed nearly-invisible yellow dots encoding serial number and timestamp. Visible under blue light or with specialized software (deda). | Scan and re-print through a different printer. Or distribute only scanned-to-PDF versions — the dots don't survive the scanning process. |
| **Writing style (stylometry)** | Linguistic fingerprint: vocabulary, sentence length, punctuation, grammatical patterns. Tools like JStylo and Anonymouth can identify authors with >80% accuracy from 500+ words. | Deliberately alter writing style. Use different vocabulary, vary sentence structure, change punctuation habits. For critical documents, have a different person write or heavily edit. |
| **Document versioning** | Word, Google Docs, and similar track edit history, usernames, and revision timestamps in document XML metadata. | Export as plain text and rebuild. Or: convert to PDF via a privacy-respecting tool, then re-OCR if needed. |
| **Image sensor noise** | Each camera sensor has a unique noise pattern (PRNU — Photo Response Non-Uniformity). This can identify which specific camera took a photo. | Downscale images, apply noise reduction filters, or avoid sharing original photos entirely. |
## Physical OPSEC & Counter-Surveillance
Digital OPSEC is meaningless if an adversary can physically observe you, plant a device, or correlate your physical movements with your online activity.
### Physical Security Baseline
| Domain | Requirement |
|--------|------------|
| **Workspace** | No windows facing public areas. Blinds/curtains always closed. Screen not visible from any external vantage point. Shoulder-surfing-resistant screen filter. |
| **Device storage** | Devices stored in a locked safe when not in use. Not under a mattress, not in a desk drawer, not "hidden" in a clever spot. A safe. Bolted to structure. |
| **Transport** | Devices transported in Faraday bags (blocks all RF — cellular, WiFi, Bluetooth, GPS). Powered off, not just sleeping. Battery removed if possible. |
| **Conversations** | Assume all rooms are bugged. Sensitive conversations outdoors, away from buildings (laser microphones can recover audio from window vibrations). No phones in the room. |
| **Mail/packages** | Use PMB (Private Mailbox) services, not your home address. For sensitive deliveries: dead drops, not direct delivery. |
| **Trash** | Shred everything. Cross-cut shredder minimum; micro-cut preferred. Burn shredded material if threat model justifies it. Assume adversaries will perform trash covers. |
| **CCTV** | Map every camera on your routes. Avoid or obscure. Hats, hoods, and angled posture reduce facial recognition effectiveness. IR LEDs can saturate camera sensors at night (legal restrictions apply). |
### Counter-Surveillance Detection
# --- Detecting Hidden Cameras ---
# Method 1: Smartphone camera (detects IR illuminators on night-vision cameras)
# Open phone camera app. Scan room in darkness. IR LEDs appear as white/purple dots.
# Works on most phone cameras (some have IR filters — test with a known IR source first).
# Method 2: RF detector
# Sweep the environment for unexpected radio emissions (cameras transmitting video).
# Professional: HackRF One + spectrum analyzer software (GQRX, SDR#).
# Budget: Bug detector from counter-surveillance suppliers.
# --- Detecting GPS Trackers ---
# Physical inspection: wheel wells, under bumpers, inside bumpers, under seats, OBD-II port.
# RF detector: sweep for periodic 2G/3G/4G transmissions.
# Professional: have a mechanic inspect (trackers are often installed during routine service).
# --- Countering IMSI-Catchers (Stingrays) ---
# IMSI-catchers force your phone onto a fake cell tower, intercepting calls/SMS/location.
# Detection: apps like SnoopSnitch (Android, requires Qualcomm chipset + root).
# Mitigation: use VOIP over encrypted WiFi for operational calls, not cellular.
# E2E encryption (Signal) protects content but not metadata — they still see who called whom and when.
### Secure Travel Protocol
1. Leave phone at home or in Faraday bag (powered off, battery removed if possible).
2. Travel with burner device only.
3. Do not connect burner to any network during travel.
4. Do not use electronic toll passes, credit cards, or loyalty programs during travel.
5. Pay cash for fuel, food, lodging.
6. Vary routes and timing — avoid predictable patterns.
7. Conduct countersurveillance: note vehicles that make the same turns as you.
8. Upon arrival, do not connect burner device until you have verified network security.
9. Upon return, securely wipe burner device and destroy if compromised.
## OSINT: Weaponizing Open Source Intelligence
The flip side of defensive OPSEC: using OSINT to gather intelligence on targets without exposing yourself. Every technique in this section must be executed from a sanitized operational environment — burner device, anonymous network, compartmentalized identity.
### Google Dorking — Advanced Search Operators
Google dorking exploits Google's advanced search operators to find information that was never intended to be public.
# --- File Type Discovery ---
# Find PDF documents on a target domain
site:target.com filetype:pdf
# Find Excel spreadsheets (often contain sensitive data)
site:target.com filetype:xlsx OR filetype:xls OR filetype:csv
# Find Word documents
site:target.com filetype:docx OR filetype:doc
# Find database dumps
site:target.com filetype:sql OR filetype:db OR filetype:sqlite
# Find configuration files
site:target.com filetype:conf OR filetype:cfg OR filetype:ini OR filetype:env
# Find backup files
site:target.com filetype:bak OR filetype:backup OR filetype:old
# Find log files
site:target.com filetype:log
# --- Directory/Path Discovery ---
# Exposed directory listings
site:target.com intitle:"index of"
# Admin panels
site:target.com inurl:admin OR inurl:login OR inurl:dashboard
# Exposed database interfaces
site:target.com inurl:phpmyadmin OR inurl:phpPgAdmin OR inurl:adminer
# Jenkins/CI dashboards
site:target.com intitle:"Dashboard [Jenkins]"
# Git repositories exposed
site:target.com intitle:"index of" ".git"
# --- Sensitive Content Discovery ---
# Pages containing passwords
site:target.com intext:"password" OR intext:"passwd" OR intext:"pwd"
# Configuration files with credentials
site:target.com ext:env "DB_PASSWORD" OR ext:cfg "password" OR ext:ini "password"
# Exposed email addresses
site:target.com intext:"@target.com"
# VPN/remote access portals
site:target.com inurl:vpn OR inurl:remote OR inurl:citrix OR inurl:rdweb
# Network devices
site:target.com intitle:"Login" inurl:"cgi-bin" OR inurl:"admin" "cisco"
# --- Person-Specific Discovery ---
# Find resumes/CVs (rich with personal info)
site:linkedin.com/in "target name" OR "target name" filetype:pdf resume
# Find forum/community posts
"target name" OR "target username" site:reddit.com OR site:github.com OR site:stackoverflow.com
# Find domain registrations
site:whois.com "target name" OR "target company"
# --- Vulnerability Discovery ---
# PHP info pages (exposes server configuration)
site:target.com ext:php intitle:phpinfo
# Open webcams/IoT devices
intitle:"webcamXP" OR intitle:"Live View / - AXIS" OR intitle:"TP-LINK"
# Exposed AWS/S3 buckets
site:s3.amazonaws.com "target" OR site:storage.googleapis.com "target"
**Google Dork Database:** https://www.exploit-db.com/google-hacking-database — 10,000+ dork queries, categorized by target type.
### Shodan — The Internet's Search Engine
Shodan indexes internet-connected devices and services. Unlike Google, which indexes web content, Shodan indexes banners, service versions, and device metadata.
# Install Shodan CLI
pip install shodan
shodan init YOUR_API_KEY
# Search for exposed services on target IP range
shodan search "org:'Target Corp'"
# Find exposed RDP
shodan search "port:3389 org:'Target Corp'"
# Find exposed databases
shodan search "port:3306,5432,27017,6379,1433 org:'Target Corp'"
# Find exposed industrial control systems
shodan search "port:502,102,47808,44818 org:'Target Corp'"
# Find specific service versions (vulnerable to known CVEs)
shodan search "product:Apache version:2.4.49"
# Get detailed info on a specific IP
shodan host 192.168.1.1
# Stream results as JSON
shodan search --fields ip_str,port,org,hostnames,product,version "target" --separator , > shodan_results.csv
# --- Shodan Dorks ---
# Default passwords
"default password" port:23
# Open Elasticsearch (data exfiltration goldmine)
port:9200 "You Know, for Search"
# Open MongoDB
port:27017 "MongoDB Server Information"
# Open Redis
port:6379 -"NOAUTH"
# VNC (no auth)
"authentication disabled" port:5900
# Exposed Docker APIs
port:2375 "Docker"
# Exposed Kubernetes dashboards
port:8001 "kubernetes dashboard"
### Reconnaissance Tool Chain
# --- Domain & DNS Recon ---
# WHOIS lookup (use privacy-respecting service)
whois target.com
# DNS enumeration
dig ANY target.com
dig AXFR target.com @ns1.target.com # Zone transfer attempt
# Subdomain enumeration
subfinder -d target.com -o subdomains.txt
amass enum -d target.com -o amass_subdomains.txt
# Combine deduplicate
cat subdomains.txt amass_subdomains.txt | sort -u > all_subdomains.txt
# DNS bruteforce with wordlist
gobuster dns -d target.com -w /usr/share/wordlists/subdomains-top1million-5000.txt
# Passive DNS data
curl -s "https://api.securitytrails.com/v1/domain/target.com/subdomains?apikey=YOUR_KEY"
# --- Web Recon ---
# Technology stack fingerprinting
whatweb target.com
wappalyzer-cli https://target.com
# Directory/file bruteforce
gobuster dir -u https://target.com -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,html,js,asp,aspx
# Wayback Machine — discover historical pages, forgotten endpoints
curl -s "https://web.archive.org/cdx/search/cdx?url=*.target.com&output=text&fl=original&collapse=urlkey" | sort -u > wayback_urls.txt
# Extract JS files and search for endpoints, API keys, secrets
cat wayback_urls.txt | grep "\.js$" > js_files.txt
# Download and grep each JS file for sensitive patterns
while read url; do
curl -s "$url" | grep -oP '(api[Kk]ey|token|secret|password|auth)["\s:=]+[A-Za-z0-9_\-\.]{10,}'
done < js_files.txt
### OSINT Framework — Tool Categories
| Category | Tools |
|----------|-------|
| **Email** | Hunter.io, Clearbit, EmailRep.io, Holehe (checks email across 100+ services), GHunt (Google account enumeration) |
| **Username** | WhatsMyName (300+ sites), Sherlock, Maigret, Namechk |
| **Phone Number** | PhoneInfoga, Truecaller, Numverify API |
| **Domain** | SecurityTrails, crt.sh (Certificate Transparency), DNSDumpster, ViewDNS.info |
| **IP Address** | Shodan, Censys, GreyNoise, IPinfo.io, AbuseIPDB |
| **Social Media** | Twint (Twitter, deprecated but archives exist), Instaloader (Instagram), yt-dlp (YouTube metadata), OSINTgram |
| **Images** | ExifTool, Google Reverse Image Search, TinEye, Yandex Image Search, FaceCheck.id |
| **Documents** | FOCA, Metagoofil (extracts metadata from public documents), pdfinfo, strings |
| **People Search** | Pipl (deprecated but similar services exist), Spokeo, BeenVerified, Whitepages, TruePeopleSearch, FamilyTreeNow |
| **Breach Data** | DeHashed, SnusBase, HaveIBeenPwned, IntelX, LeakCheck |
| **Geolocation** | GeoGuessr OSINT methodology, Bellingcat guides, SunCalc (shadow analysis), Overpass API (OpenStreetMap) |
| **Dark Web** | Ahmia.fi, Torch, OnionScan, DarkSearch |
| **Corporate** | OpenCorporates, SEC EDGAR, Companies House, Dun & Bradstreet, ZoomInfo |
| **Government** | FOIA.gov, GovInfo, SAM.gov, USASpending.gov, court records (PACER, state-level) |
## OSINT: Tool Arsenal & Automation
### theHarvester — Email, Subdomain, and Employee Enumeration
# Install
sudo apt install theharvester
# Basic enumeration
theHarvester -d target.com -b google,linkedin,crtsh,bing -f harvester_output.html
# All available sources
theHarvester -d target.com -b all
# Limit results
theHarvester -d target.com -b google -l 500
# Sources include: google, bing, linkedin, crtsh, shodan, virustotal, threatcrowd,
# securitytrails, hunter, anubis, omnisint, and many more
### SpiderFoot — Automated OSINT Automation
# Install
pip install spiderfoot
# Start web interface
spiderfoot -l 127.0.0.1:5001
# Navigate to http://127.0.0.1:5001
# Create new scan → target: target.com → select modules by category:
# - Passive: DNS, search engines, social media, certificate transparency
# - Active: port scanning, web scraping, brute force (use cautiously)
# CLI mode
spiderfoot -s target.com -m sfp_dns,sfp_shodan,sfp_crtsh -o csv > sf_results.csv
### Recon-ng — Modular Reconnaissance Framework
# Install
sudo apt install recon-ng
# Start
recon-ng
# Create workspace
workspaces create target_corp
# Add domain to database
db insert domains target.com
# Module: certificate transparency (find subdomains)
modules load recon/domains-certificates/crtsh
run
# Module: Bing search
modules load discovery/info_disclosure/cache_snoop
set SOURCE bing
run
# Module: Shodan host lookup
modules load recon/hosts-hosts/shodan_hostname
run
# Module: IP to geolocation
modules load recon/hosts-locations/ip2location
run
# Module: whois
modules load recon/domains-contacts/whois_pocs
run
# Export results
modules load reporting/list
set FILENAME /root/output.html
set TABLE hosts
run
### Holehe — Check Email Registration Across Services
# Install
pip install holehe
# Check where an email is registered
holehe target@example.com
# Check with specific modules only
holehe target@example.com --only-used twitter,instagram,spotify,amazon,protonmail,tutanota,github,gitlab
# Output in JSON
holehe target@example.com --output json
# This reveals: which platforms the target uses, recovery email patterns, account age, and potential pivot points
### Sherlock / Maigret — Username Search Across Platforms
# Sherlock — search username across 300+ social platforms
git clone https://github.com/sherlock-project/sherlock.git
cd sherlock
python3 sherlock target_username --output results/
# Maigret — more comprehensive, with NLP-based profile matching
pip install maigret
maigret target_username --all-sites --html --pdf
# These reveal: where the target has accounts, activity levels, linked profiles
### GHunt — Google Account OSINT
# Clone and configure (requires cookies)
git clone https://github.com/mxrch/GHunt.git
cd GHunt
pip install -r requirements.txt
# Check Google account by email
python3 ghunt.py email target@gmail.com
# Outputs: Google ID, profile picture (even if private), YouTube channel,
# Google Maps reviews/contributions, Google Photos albums (if public),
# Calendar availability, Hangouts status, linked services
## OSINT: Defensive Countermeasures
For every offensive OSINT technique, there is a defensive countermeasure. If someone is targeting you with the tools above, here is how to deny them.
### Account Isolation & Obfuscation
| Offensive Technique | Defensive Countermeasure |
|--------------------|-------------------------|
| **Email enumeration (Holehe)** | Use unique email addresses per platform (e.g., `target+twitter@proton.me`). ProtonMail and Gmail support plus-addressing. Or use aliases via SimpleLogin/AnonAddy. A different email per service prevents cross-platform correlation. |
| **Username enumeration (Sherlock)** | Never reuse the same username across platforms. Each account gets a unique, randomly generated username. Record them in an encrypted password manager. |
| **WHOIS lookup** | Enable WHOIS privacy protection on all domains. Some registrars (Njalla, njal.la) register domains in their own name as a proxy. |
| **Certificate Transparency logs** | Use wildcard SSL certificates (`*.target.com`) which hide subdomain names from CT logs. |
| **Reverse image search** | Strip EXIF before posting. Alter images slightly (crop, resize, add subtle noise) to break reverse image search hashes. Use tools like Fawkes to apply adversarial noise against facial recognition. |
| **Google dorking** | Robots.txt blocks ethical crawlers but not Google dorking. The only defense: don't expose sensitive files to the public internet. Scan your own domain with the dorks above periodically. |
| **Shodan/Censys scanning** | Block or rate-limit known scanner IPs. Shodan publishes their scanner IP ranges. `iptables -A INPUT -s -j DROP` |
| **Data broker aggregation** | See the [Data Broker Opt-Out section](#data-broker--people-search-site-opt-out) below. |
| **Stylometric analysis** | Obfuscate writing style when posting publicly. Vary vocabulary, sentence structure, and punctuation. For high-sensitivity publications, use a ghostwriter or AI with specific style-transfer instructions. |
### Disinformation & Poisoning
Against determined OSINT collectors, passive defense is insufficient. You need to actively poison their data set.
- **Plant false information:** Create decoy accounts with contradictory details. Different cities, different jobs, different educational backgrounds. The collector cannot distinguish real from fake.
- **Age decoy profiles:** Create accounts months in advance. Post consistently. Build a convincing-but-false pattern of life. When your real accounts are discovered, these decoys dilute the signal.
- **Controlled information release:** Deliberately "leak" specific false details through channels the collector is known to monitor. If that information appears in their intelligence product, you now know they are watching that channel — and you can feed them disinformation through it.
- **Traffic generation:** Generate noise. Automated browsing, random searches, decoy API queries. Makes legitimate traffic harder to isolate from background noise.
**Warning:** Disinformation operations against law enforcement or intelligence agencies may constitute obstruction of justice or similar offenses. Understand your legal exposure before deploying these techniques.
## Counter-Forensics & Anti-OSINT
Counter-forensics is the art of minimizing, obscuring, or eliminating the forensic evidence your activities generate. This is defense-in-depth beyond basic OPSEC.
### Digital Exhaust Minimization
Every online action leaves residue. Counter-forensics is about controlling that residue:
1. CONCEAL — Encrypt everything. Disk, network traffic, communications.
2. COMPARTMENTALIZE — Separate real identity from operational identity. No crossover.
3. MINIMIZE — Produce less data. Fewer accounts, fewer queries, fewer interactions.
4. CORRUPT — Introduce noise. False data, decoy traffic, misleading patterns.
5. DESTROY — Securely delete. Overwrite, then destroy physical media if necessary.
### Log Avoidance & Evasion
| Log Source | What It Records | Evasion |
|-----------|----------------|---------|
| **ISP logs** | IP ↔ Timestamp ↔ DNS queries | Tor for anonymity. VPN for pseudo-anonymity. DNS encryption (DoH/DoT). |
| **VPN provider logs** | Timestamp ↔ Source IP ↔ Bandwidth used | Choose no-logs VPN with independent audit. Pay with Monero. Connect to VPN through Tor (VPN sees Tor exit IP, not your real IP). |
| **Web server logs** | IP, timestamp, User-Agent, referer, requested URL, response code | Tor for IP anonymity. Standardized User-Agent. No referer. Rate-limit queries to avoid volumetric detection. |
| **CDN logs** (Cloudflare, Akamai) | All of the above, plus: ASN, country, TLS fingerprint (JA3), HTTP/2 fingerprint | Same as above. JA3 fingerprint randomization (curl with custom TLS options). |
| **DNS resolver logs** | Query domain ↔ Timestamp ↔ Client IP | Encrypted DNS (DoH/DoT/DNSCrypt). Use a resolver with no-logs policy (Quad9, NextDNS, self-host). |
| **Email metadata** | Header chain: every server that handled the email, timestamps, client IP (sometimes) | ProtonMail strips client IP from headers. Signal for messaging (no email metadata at all). |
| **Payment processor logs** | Name, billing address, IP, timestamp, amount, merchant | Cash. Monero. Prepaid cards purchased with cash. Never link payment to real identity. |
| **Cell tower logs** | IMSI/IMEI ↔ Tower ↔ Timestamp ↔ Approximate location (±50m to ±3km) | Leave phone at home. Use burner. Faraday bag during transport. No cellular devices during operational movements. |
### Secure Deletion & Anti-Forensic File Systems
# --- File-Level Secure Deletion ---
# Overwrite and delete
shred -vfz -n 7 sensitive_file.txt
# For SSDs (wear leveling makes shred unreliable):
# Trim/discard blocks after deletion
rm sensitive_file.txt
fstrim /mountpoint
# Or: encrypt the entire drive from day one.
# If everything is encrypted, deletion is as simple as destroying the key.
# --- Disk-Level Secure Deletion ---
# ATA Secure Erase (works on both HDD and SSD — firmware-level)
sudo hdparm --user-master u --security-set-pass p /dev/sdX
sudo hdparm --user-master u --security-erase p /dev/sdX
# Or: blkdiscard (SSD only — TRIMs all blocks)
sudo blkdiscard /dev/sdX
# --- Memory (RAM) Wiping ---
# Cold boot attacks can recover encryption keys from RAM minutes after power-off.
# Mitigation: power off completely (not sleep/hibernate).
# TAILS wipes RAM on shutdown automatically.
# --- Anti-Forensic File Systems ---
# F2FS with encryption: built-in TRIM support
# ZFS with encryption: copy-on-write, snapshots complicate deletion
# Use `zfs destroy` for snapshots containing sensitive data
### Plausible Deniability
Plausible deniability means an adversary cannot *prove* the existence of hidden data, even if they suspect it.
┌──────────────────────────────────────────┐
│ Outer Volume │
│ (Decoy data — financial records, │
│ innocent documents, family photos) │
│ │
│ ┌─────────────────────────────────────┐ │
│ │ Hidden Volume │ │
│ │ (Operational data) │ │
│ │ Encrypted with different key. │ │
│ │ Free space on outer volume │ │
│ │ appears random — indistinguishable │ │
│ │ from the hidden volume's │ │
│ │ encrypted blocks. │ │
│ └─────────────────────────────────────┘ │
└──────────────────────────────────────────┘
If compelled to reveal password:
→ Reveal outer volume password.
→ Hidden volume's existence cannot be proven.
→ Plausible: "That's just random data / free space."
Important: Maintain the outer volume.
Write to it occasionally. Update files. If the outer volume
shows no activity but the free space keeps changing,
the adversary can infer a hidden volume.
## Digital Exhaust & Traffic Analysis
### Pattern of Life Analysis
Adversaries with long-term collection capabilities build a behavioral profile from your digital exhaust. They don't need content — metadata alone is sufficient.
| Metadata | What It Reveals |
|----------|----------------|
| **Connection timing** | Your timezone, sleep schedule, work hours. Consistent 9-to-5 disconnection = employee. Consistent late-night activity = night owl or different timezone. |
| **Session duration** | Work sessions vs. brief checks. Long, consistent sessions suggest professional use. |
| **Traffic volume symmetry** | Download-heavy = consumer. Upload-heavy = content creator, data exfiltration, or file sharing. |
| **Geolocation of exit IPs** | Physical location. VPN exit nodes cluster geographically. Tor exit nodes are globally distributed. |
| **DNS query patterns** | Interests, tools, infrastructure. Repeated queries to specific domains reveal infrastructure dependencies. |
| **Service usage times** | When do you check email? When do you SSH into servers? Patterns reveal timezone and work habits. |
### Traffic Analysis Countermeasures
- **Traffic padding:** Generate constant low-volume traffic to mask activity spikes. Tor and some VPN protocols support padding.
- **Timing randomization:** Add jitter to automated tasks. A cron job running exactly at 3:00 AM UTC every day is a pattern. A task running at random intervals between 2:45-3:15 is noise.
- **Background noise:** Always have benign traffic flowing. Streaming music, RSS feeds, system updates. Your operational traffic hides in the noise floor.
- **Consistent patterns:** If you must have a pattern, make it consistent with a believable cover story. A "remote worker" connecting during business hours is normal. Connecting at 3 AM local time is not.
- **Burst operations:** Complete operational activity in short, irregular bursts. Do not establish a predictable schedule.
### Data Correlation — The Adversary's Graph
Real Identity ──┬── Personal Email (Gmail)
│ │
│ ├── Recovery phone: +1 (555) 123-4567
│ ├── Linked accounts: Amazon, Spotify, Steam
│ └── IP addresses: 192.168.1.0/24 (home), 10.0.0.0/8 (work)
│
├── Social Media (real name, real photos)
│ │
│ ├── Friends/family connections → social graph
│ ├── Check-in locations → physical movement
│ └── Timestamps → timezone, work schedule
│
└── Financial (bank, credit cards)
│
├── Purchase locations → physical movement
├── Purchase timestamps → behavioral patterns
└── Payment for services → IP attribution (VPN payments, VPS)
│
│ ONE CROSSOVER EVENT
↓
Operational Persona ──┬── Operational Email (ProtonMail)
│ │
│ └── IP: Tor exit node (masked)
│
├── GitHub: operational tools
│ │
│ └── Commit timestamps → timezone correlation
│
└── VPS: operational infrastructure
│
└── Paid with Bitcoin → exchange KYC → real identity
**One edge between these graphs burns the entire operation.** The adversary's job is to find that edge. Your job is to ensure it does not exist.
## Data Broker & People-Search Site Opt-Out
Data brokers aggregate public records, purchase histories, social media scrapes, and offline data into comprehensive profiles. These profiles are sold to anyone willing to pay — including OSINT collectors, stalkers, and adversaries.
### The Major Data Brokers (and How to Opt Out)
| Broker | Coverage | Opt-Out Method | Persistence |
|--------|----------|---------------|-------------|
| **Spokeo** | People search, reverse phone/email/address | spokeo.com/optout — requires email verification | Data may reload from public records. Re-check every 6 months. |
| **Whitepages** | Phone, address, relatives, background | whitepages.com/suppression_requests — requires phone verification | Re-check annually. |
| **BeenVerified** | Background, contact, social media | beenverified.com/app/optout/search — online form | Re-check every 6-12 months. |
| **Intelius** | Background, criminal, financial | intelius.com/optout — online form | Part of PeopleConnect family. Opting out of one may not cover all. |
| **MyLife** | Reputation score, background | mylife.com/help/optout — email request | Aggressive re-aggregation. Check frequently. |
| **PeekYou** | Social media aggregation, username linking | peekyou.com/about/contact/optout — online form | Re-check quarterly. |
| **Radaris** | People search, reverse lookup | radaris.com/page/how-to-remove — multi-step process | Stubborn. May require multiple attempts. |
| **FamilyTreeNow** | Genealogy, known relatives, past addresses | familytreenow.com/optout — instant opt-out | One of the easiest. Do this first. |
| **FastPeopleSearch** | Phone, address, email, relatives | fastpeoplesearch.com/removal — instant removal | Check monthly — re-aggregates aggressively. |
| **TruePeopleSearch** | Phone, address, email, associates | truepeoplesearch.com/removal — instant removal | Similar to FastPeopleSearch. |
| **Acxiom** | Marketing data, offline purchase data | acxiom.com/optout — online form | One of the largest aggregators. Less public-facing but feeds many other brokers. |
| **LexisNexis** | Legal, financial, insurance data | risk.lexisnexis.com/consumer — opt-out requires documentation | May require notarized ID or proof of identity theft/stalking. Hardest to remove. |
### Automated Opt-Out Tools
# --- Optery (commercial) ---
# Automated broker opt-out service. Scans 200+ brokers, submits removal requests.
# https://optery.com — paid tier does automated removals.
# --- DeleteMe (commercial) ---
# Similar to Optery. Human-assisted opt-outs for stubborn brokers.
# https://joindeleteme.com
# --- Self-hosted: databroker-removal ---
# Open source script for DIY opt-outs on common broker sites
# https://github.com/your-username/databroker-removal
# Manual approach (free):
# 1. List all data broker sites (see table above + IntelTechniques list)
# 2. Visit each site's opt-out page
# 3. Submit removal request with minimal real info
# 4. Use a burner email for verification (not your real email!)
# 5. Document dates and confirmation numbers
# 6. Re-check every 3-6 months — data is re-aggregated from public records
**Critical:** Use a burner email and burner phone for opt-out verification. Submitting your real email to a data broker to "opt out" only gives them a fresh data point to correlate.
## Operational Workflows
### Workflow 1: Setting Up a Compartmentalized Identity from Zero
Objective: Create an operational identity with zero links to real identity.
Threat model: Tier 3 (organized investigation). Budget: $500-1000 cash.
Phase 1: Hardware Acquisition (Week 1)
┌─────────────────────────────────────────────────────┐
│ 1. Withdraw cash. No ATM near your home. │
│ 2. Purchase refurbished ThinkPad from cash-only │
│ seller (Craigslist, OfferUp, in-person). │
│ 3. Purchase burner Android phone with cash. │
│ 4. Purchase prepaid debit cards with cash. │
│ 5. Purchase Faraday bags for device transport. │
│ 6. Store devices in Faraday bags during transport. │
└─────────────────────────────────────────────────────┘
Phase 2: Device Preparation (Week 1-2)
┌─────────────────────────────────────────────────────┐
│ 1. At a location NOT your home/work (public library,│
│ coffee shop, hotel lobby — with no cameras). │
│ 2. Boot TAILS from USB on refurbished laptop. │
│ 3. Factory reset burner phone. Remove SIM. │
│ 4. Install GrapheneOS (privacy-hardened Android). │
│ 5. Encrypt everything. │
│ 6. Verify no factory-installed spyware/malware. │
└─────────────────────────────────────────────────────┘
Phase 3: Digital Identity Creation (Week 2-4)
┌─────────────────────────────────────────────────────┐
│ OVER TOR ONLY — NEVER FROM CLEARNET │
│ │
│ 1. Create ProtonMail account (operational persona). │
│ - Requires: nothing (free tier) │
│ 2. Create Tutanota account (backup operational). │
│ - Requires: nothing (free tier) │
│ 3. Acquire VOIP number (MySudo, BurnerApp, Twilio). │
│ - Use for account verification only. │
│ 4. Create SimpleLogin account for email aliases. │
│ - Each platform gets a unique alias. │
│ 5. Generate GPG keypair for operational persona. │
│ - Publish on keys.openpgp.org, ProtonMail WKD. │
│ 6. Create aged social media accounts (if needed). │
│ - Consistent fabricated persona details. │
│ - Post content for 2-4 weeks before op use. │
└─────────────────────────────────────────────────────┘
Phase 4: Infrastructure (Week 2-4)
┌──────────────────────────────────────────────────────┐
│ 1. Acquire VPS for operational infrastructure: │
│ - Paid with Monero (exchange to XMR, pay VPS). │
│ - VPS provider: Njalla, 1984, FlokiNET. │
│ - Anonymous signup. No KYC. │
│ 2. Set up: WireGuard VPN endpoint, reverse proxy, │
│ disposable web server. │
│ 3. Test full chain: Tor → VPS → target. │
│ 4. Verify: no DNS leaks, no IP leaks, no fingerprint.│
└──────────────────────────────────────────────────────┘
Phase 5: Validation
┌─────────────────────────────────────────────────────┐
│ 1. Run full browser fingerprint test (EFF, IPLeak). │
│ 2. Run WHOIS on all domains — no real info. │
│ 3. Search operational username/email on Google, │
│ Sherlock — should return nothing if fresh. │
│ 4. Search operational email on HaveIBeenPwned — │
│ should return nothing. │
│ 5. Attempt to correlate operational persona to your │
│ real identity from an adversary's perspective. │
│ Use the tools in this guide against yourself. │
│ If you can't find the connection, move to ops. │
└─────────────────────────────────────────────────────┘
### Workflow 2: Conducting OSINT Reconnaissance on a Target (Without Exposing Yourself)
# All commands executed from operational environment only.
# Verify Tor connectivity and browser fingerprint before starting.
# Phase 1: Passive Reconnaissance (no direct target interaction)
# ---------------------------------------------------------------
# 1.1 — Search engines (via SearXNG over Tor, not Google directly)
# Use the Google Dorking queries from the OSINT section.
# Document all findings in encrypted notes.
# 1.2 — Certificate Transparency logs (passive)
curl -s "https://crt.sh/?q=%.target.com&output=json" | jq '.[].name_value' | sort -u > ct_subdomains.txt
# 1.3 — DNS enumeration (passive)
dig +short A target.com
dig +short MX target.com
dig +short NS target.com
dig +short TXT target.com
# 1.4 — Wayback Machine (passive)
curl -s "https://web.archive.org/cdx/search/cdx?url=*.target.com&output=text&fl=original&collapse=urlkey" | \
sort -u > wayback_urls.txt
# 1.5 — Search for exposed files on target domain (via search engines)
# Google dorks executed through SearXNG or manually typed into Tor Browser:
# site:target.com filetype:pdf
# site:target.com filetype:sql
# site:target.com ext:env OR ext:conf OR ext:ini
# Phase 2: Light Active Reconnaissance (touches target — use caution)
# --------------------------------------------------------------------
# 2.1 — Technology stack fingerprinting (over Tor)
torsocks whatweb target.com | tee tech_stack.txt
# 2.2 — Port scan (TCP Connect scan through Tor's SOCKS5)
# proxychains required. Note: this is SLOW through Tor.
proxychains4 -q nmap -sT -Pn -T2 --max-retries 0 -p 22,25,53,80,443,8080,8443 target.com
# 2.3 — SSL/TLS certificate analysis
openssl s_client -connect target.com:443 -servername target.com /dev/null | \
openssl x509 -noout -text | tee ssl_cert.txt
# Phase 3: Analysis & Documentation
# ---------------------------------
# Compile findings into structured format.
# Encrypt all output files.
# Do not store operational data on non-encrypted volumes.
# After operation: securely delete all artifacts.
### Workflow 3: Self-Audit — OSINT Your Own Identity
Objective: Discover what an adversary would find about you in 30 minutes.
1. Search your real name on Google, Bing, DuckDuckGo (each returns different results).
- Include variations: "First Last", "First M Last", "Last, First", username/pseudonym.
2. Search your email addresses on:
- Google: "email@example.com" (with quotes)
- HaveIBeenPwned (breaches)
- DeHashed (breaches, requires account)
- Holehe (service registration check)
3. Search your phone number on:
- Google: "+1 555-123-4567" (with quotes, various formats)
- Whitepages, Spokeo, TruePeopleSearch, FastPeopleSearch, FamilyTreeNow
4. Search your username on:
- Sherlock/Maigret
- namechk.com (check availability — also reveals where you're registered)
5. Reverse image search your profile pictures:
- Google Images, TinEye, Yandex (best for faces)
- FaceCheck.id (facial recognition database)
6. Check data broker sites for your personal information.
- See the Data Broker Opt-Out table above.
7. Check public records:
- County property records (usually searchable online by name)
- PACER (federal court records)
- State court records (by county)
- Voter registration (public in most states, includes address and party affiliation)
8. Check for social media leaks:
- What information is publicly visible on your profiles?
- What can be inferred from the people you follow / who follow you? (Social graph analysis)
- Check tagged photos — do they reveal location, habits, associates?
Take action on every finding. Opt out, delete, obscure, or prepare a cover story.
## OPSEC Checklists
### Pre-Operation Checklist
- [ ] Operational device(s) acquired with cash, no link to real identity
- [ ] Operational device(s) fully encrypted (LUKS, VeraCrypt hidden volume, or FileVault/BitLocker)
- [ ] Operational OS booted: TAILS, QubesOS, Whonix, or hardened Linux
- [ ] All network traffic routed through Tor (verified: `curl --socks5 127.0.0.1:9050 https://check.torproject.org`)
- [ ] Browser fingerprint tested and non-unique (EFF Cover Your Tracks, BrowserLeaks, IPLeak)
- [ ] DNS leak test passed (dnsleaktest.com, ipleak.net — shows only proxy DNS)
- [ ] WebRTC disabled (`media.peerconnection.enabled = false` in Firefox)
- [ ] MAC address randomized (`macchanger -r wlan0`)
- [ ] Timezone matches proxy exit (or forced to UTC via `privacy.resistFingerprinting`)
- [ ] No real accounts authenticated on operational device
- [ ] No real files, documents, or media on operational device
- [ ] Operational accounts created over Tor with burner email/phone
- [ ] Operational accounts aged (minimum 2 weeks of activity for Tier 1-2, 3+ months for Tier 3+)
- [ ] GPG keys generated for operational persona
- [ ] Passwords: unique, high-entropy, stored in encrypted password manager (or memorized)
- [ ] MFA enabled on all operational accounts (TOTP or FIDO2, not SMS)
- [ ] Operational communications app tested and verified E2E encrypted
- [ ] Metadata stripped from all files to be used in operation
- [ ] Counter-surveillance route to operational location confirmed
- [ ] Burner phone acquired (if needed), SIM activated without ID
- [ ] Faraday bags available for device transport
- [ ] Dead drop location identified (if physical exchange required)
### During-Operation Checklist
- [ ] Monitor network connectivity: is Tor still working? Any leaks?
- [ ] Monitor system integrity: unexpected processes? Network connections? Disk activity?
- [ ] Do not cross-contaminate: no checking real email, real social media, real anything
- [ ] Maintain consistent persona: writing style, timezone, language, browser fingerprint
- [ ] Log all operational activity (encrypted, offline) — timestamps, actions, results
- [ ] Rate-limit automated queries to avoid volumetric detection
- [ ] If a service blocks or captchas you, do not bypass aggressively — it's a detection indicator
- [ ] If anything feels wrong, abort. Reassess. Do not push through a potential compromise.
### Post-Operation Checklist
- [ ] Export and encrypt all operational data
- [ ] Securely delete operational files from device: `shred -vfz -n 7`
- [ ] Wipe operational browser profile, cache, cookies, session data
- [ ] If using TAILS: shutdown (automatically wipes RAM and temporary storage)
- [ ] If using persistent OS: re-image or securely wipe free space: `sfill -v /mountpoint`
- [ ] Burn disposable accounts if no longer needed
- [ ] Destroy burner phone (physically — hammer to SIM and storage chip)
- [ ] Destroy burner VPS (terminate instance, overwrite disk)
- [ ] If cryptocurrency was used: rotate wallet addresses
- [ ] Debrief: document lessons learned. Update OPSEC procedures accordingly.
- [ ] Re-check data broker sites for any new information that may have appeared
- [ ] Re-check search engines for your operational username/email (unintended exposure)
- [ ] Verify operational accounts are logged out everywhere; revoke all sessions
## OPSEC Failures That Burned Operators
Real-world case studies of operational security failures. Names omitted; lessons preserved.
### Case 1: The Single Crossover Event
**Scenario:** Operator maintained strict compartmentalization for months. Separate devices, Tor-only connectivity, burner emails, cryptocurrency payments. **One day**, they briefly logged into their real Gmail account from their operational laptop — "just to check a message, 30 seconds."
**Result:** Google's security logs recorded the operational Tor exit node IP as an access point for their real Gmail account. When Google later received a lawful intercept request, the operational IP was linked to their real identity through that single 30-second session. Game over.
**Lesson:** Compartmentalization is binary. One cross-contamination event destroys the entire wall. If you need to check real accounts, use a real device on a real network. Never bring operational and real identities into the same digital space — even for "just a second."
### Case 2: EXIF Betrayal
**Scenario:** Operator posted a photo to a forum under an operational pseudonym. They stripped all EXIF data with `exiftool -all=`. **But:** they cropped the photo first, and the cropping tool (default smartphone gallery app) re-embedded GPS coordinates from the phone's location cache.
**Result:** The forum post's photo contained GPS coordinates pointing to the operator's apartment building. An OSINT collector extracted the coordinates and cross-referenced with property records to obtain the operator's real name.
**Lesson:** Verify metadata removal **after** all edits. The final file that leaves your control is the only one that matters. Use `exiftool photo.jpg` on the exact file you are about to upload. Better: never post original photos. Post screenshots of photos, or photos taken by a camera that has no GPS capability.
### Case 3: Cryptocurrency Trail
**Scenario:** Operator paid for a VPN subscription with Bitcoin. The Bitcoin was purchased on Coinbase (KYC'd exchange). Coinbase → personal wallet → VPN provider. Operator assumed the hop through the personal wallet provided anonymity.
**Result:** Blockchain analysis trivially traced the Bitcoin from the KYC'd Coinbase account to the VPN payment address. The VPN provider was compelled to provide connection logs, which correlated the subscription with the operator's real identity and all connection timestamps.
**Lesson:** Bitcoin is pseudonymous, not anonymous. Every transaction is permanently recorded on a public ledger. Use Monero (XMR) for privacy-sensitive payments. If you must use Bitcoin, route through a mixer (Wasabi, JoinMarket) or exchange to Monero first. Better: pay with cash for everything operational.
### Case 4: Stylometric Fingerprint
**Scenario:** Operator used a pseudonym to publish technical blog posts criticizing a government agency. They used a burner email, Tor, and a brand-new identity. **But:** their writing style — sentence structure, vocabulary choices, punctuation habits, and grammatical quirks — was identical to their real-name academic publications.
**Result:** Adversary ran stylometric analysis (JStylo, Anonymouth) across the pseudonymous blog posts and the operator's published academic papers. Match confidence: 94%. The operator was identified solely by how they wrote.
**Lesson:** Your writing voice is as unique as your fingerprint. Changing your content does not change your style. For high-stakes anonymous publications: write in a deliberately different style, use a ghostwriter, or run your text through stylometric analysis tools to verify it does not match your known corpus.
### Case 5: The Amazon Purchase
**Scenario:** Operator purchased "secure hardware" — a Raspberry Pi and some radio equipment — for an operational project. Used their personal Amazon account and home delivery address because "it's just electronics, not suspicious."
**Result:** The adversary had access to Amazon purchase history (via warrant, insider access, or account compromise). The purchase of specific hardware components matched the capabilities used in an operation. Combined with delivery address, the operator was identified.
**Lesson:** Every purchase tells a story. Buy operational hardware with cash. Buy from physical stores without cameras if possible. If you must order online: use a burner Amazon account, pay with a prepaid debit card (bought with cash), ship to a locker/PMB, and add unrelated items to dilute the signal.
## References
### OPSEC & Counter-Surveillance
- [OPSEC: A Systematic Approach](https://www.nsa.gov/Portals/75/documents/what-we-do/research/operations-security.pdf) — NSA OPSEC process (declassified)
- [TAILS — The Amnesic Incognito Live System](https://tails.net/)
- [QubesOS — A Reasonably Secure Operating System](https://www.qubes-os.org/)
- [Whonix — Anonymous Operating System](https://www.whonix.org/)
- [EFF Surveillance Self-Defense](https://ssd.eff.org/)
- [Privacy Guides](https://www.privacyguides.org/)
- [The Hitchhiker's Guide to Online Anonymity](https://anonymousplanet.org/)
- [GrapheneOS — Hardened Android](https://grapheneos.org/)
- [VeraCrypt — Free Open Source Disk Encryption](https://www.veracrypt.fr/)
### OSINT Tools & Frameworks
- [OSINT Framework](https://osintframework.com/) — Interactive tool taxonomy
- [Bellingcat's Digital Investigation Toolkit](https://www.bellingcat.com/category/resources/)
- [IntelTechniques — OSINT & Privacy](https://inteltechniques.com/)
- [Awesome OSINT (GitHub)](https://github.com/jivoi/awesome-osint)
- [Google Hacking Database (Exploit-DB)](https://www.exploit-db.com/google-hacking-database)
- [Shodan — Search Engine for Internet-Connected Devices](https://www.shodan.io/)
- [Censys — Internet Asset Discovery](https://search.censys.io/)
- [SpiderFoot — Automated OSINT](https://www.spiderfoot.net/)
- [Recon-ng — Web Reconnaissance Framework](https://github.com/lanmaster53/recon-ng)
- [theHarvester — Email, Subdomain, Employee Enumeration](https://github.com/laramies/theHarvester)
- [Sherlock — Username Search](https://github.com/sherlock-project/sherlock)
- [Maigret — Username OSINT](https://github.com/soxoj/maigret)
- [Holehe — Email Registration Check](https://github.com/megadose/holehe)
- [GHunt — Google Account OSINT](https://github.com/mxrch/GHunt)
- [PhoneInfoga — Phone Number Intelligence](https://github.com/sundowndev/phoneinfoga)
### Encryption & Communications
- [Signal Protocol Technical Documentation](https://signal.org/docs/)
- [Matrix Specification](https://spec.matrix.org/)
- [ProtonMail Security Model](https://proton.me/support/encryption-details)
- [GnuPG Manual](https://www.gnupg.org/documentation/manuals/gnupg/)
### Counter-Forensics & Data Removal
- [MAT2 — Metadata Anonymisation Toolkit](https://0xacab.org/jvoisin/mat2)
- [ExifTool — EXIF Manipulation](https://exiftool.org/)
- [IntelTechniques Data Removal Workbook](https://inteltechniques.com/workbook.html)
- [JustDeleteMe — Account Deletion Directory](https://justdeleteme.xyz/)
### Threat Intelligence
- [MITRE ATT&CK Framework](https://attack.mitre.org/)
- [CISA Cybersecurity Resources](https://www.cisa.gov/)
- [Privacy International](https://privacyinternational.org/)