Major Update

SEC587: Advanced Open-Source Intelligence (OSINT) Gathering and Analysis™

  • In Person (6 days)
  • Online
36 CPEs

With Open-Source Intelligence (OSINT) being the engine of most major investigations in this digital age the need for a more advanced course was imminent. The data in almost every OSINT investigation becomes more complex to collect, exploit and analyze. For this OSINT practitioners all around the world have a need for performing OSINT at scale and means and methods to check and report on the reliability of their analysis for sound and unbiased reports. In SEC587 you will learn how to perform advanced OSINT Gathering & Analysis as well as understand and use common programming languages such as JSON and Python. SEC587 also will go into Dark Web and Financial (Cryptocurrency) topics as well as disinformation, advanced image and video OSINT analysis. This is an advanced fast-paced course that will give seasoned OSINT investigators new techniques and methodologies and entry-level OSINT analysts that extra depth in finding, collecting and analyzing data sources from all around the world.

What You Will Learn

Beyond the Basics: Advanced OSINT Techniques

SANS SEC587 is an advanced Open-Source Intelligence (OSINT) course for those who already know the foundations of OSINT. The goal is to provide students with more in-depth and technical OSINT knowledge. Students will learn OSINT skills and techniques that law enforcement, intelligence analysts, private investigators, journalists, penetration testers and network defenders use in their investigations.

Open-source intelligence collection and analysis techniques are increasingly useful in a world where more and more information is added to the internet every day. With billions of internet users sharing information on themselves, their organizations, and people and events they have knowledge of, the internet is a resource-rich environment for intelligence collection. SEC587 is designed to teach you how to efficiently utilize this wealth of information for your own investigations.

SEC587 will take your OSINT collection and analysis abilities to the next level, whether you are involved in intelligence analysis, criminal and fraud investigations, or just curious about how to find out more about anything! SEC587 is replete with hands-on exercises, real-world scenarios, and interaction with live internet and dark web data sources.

This course is also blended with all the fundamentals an OSINT analyst will need to learn and understand and apply basic coding in languages such as Python, JSON, and shell utilities as well as interacting with APIs for automating your OSINT processes.

"The course manages to provide both breadth and depth, with practical hands-on practices and tools students can implement right away." - Patrick Muprhy, Palo Alto Networks

What Is Open-Source Intelligence (OSINT) Automation?

Open-source intelligence automation leverages advanced software tools and algorithms to expedite the collection, analysis, and interpretation of publicly accessible data. By automating the processing of vast amounts of information from sources like social media, news outlets, and databases, it enhances the speed, accuracy, and scalability of intelligence gathering. This technology is crucial for real-time decision-making in fields such as cybersecurity, market analysis, and national security.

Business Takeaways

  • Enhance decision-making with actionable insights from public data
  • Proactively identify risks using advanced OSINT techniques
  • Increase efficiency through automated intelligence gathering
  • Stay ahead competitively by monitoring industry and market trends
  • Ensure compliance in legal and ethical intelligence collection.

Skills Learned

  • Gather and analyze public data to generate actionable intelligence with advanced OSINT tools and techniques
  • Utilize automated systems to streamline the OSINT process, increasing efficiency and accuracy in intelligence gathering
  • Identify and mitigate security threats by understanding and applying OSINT to predict and prevent potential vulnerabilities
  • Navigate legal and ethical considerations in intelligence gathering to ensure compliance with applicable laws and standards
  • Apply OSINT for competitive advantage by monitoring and analyzing market and industry trends to inform business strategy
  • Enhance decision-making processes with real-time, data-driven insights from a variety of open and publicly accessible sources
  • Implement technological solutions to effectively manage and analyze large datasets from disparate sources, fostering more informed business decisions.

Hands-On Advanced OSINT Training

SEC587: Advanced Open-Source Intelligence Techniques offers an immersive experience through practical labs and real-world scenarios, allowing students to master intelligence gathering using publicly available data. This course emphasizes hands-on practice with real-world tools and data, providing guided labs for beginners and more challenging tasks for advanced users, enabling tailored learning at any skill level. Participants will tackle a variety of case studies and simulations that mirror the complex challenges faced by professionals in corporate, security, and governmental fields. The curriculum is designed not only to build a solid foundation in OSINT methodologies but also to instill the ability to ethically and legally apply these skills in professional settings. Students will leave with continued access to course materials and tools, empowering them to further refine their abilities after taking the course.

Hands-on Labs Include:

  • Section 1: Analyzing the Macron video, Checking Disinformation, Russian Facial Recognition, U.S. Foreign Agents Registration Act (FARA), Accessing Chinese Websites
  • Section 2: Python
  • Section 3: Image Verification, Video Verification, Steganography, Speaker Diarization, Advanced Enumeration, Gaming
  • Section 4: Network OPSEC Analysis, dark Web De-Anonymization, Dark Web Search, Cryptocurrency, Detecting Modern Drones
  • Section 5: N8n, SearxNG, Dealing with Password Protected Files, Aviation OSINT, Maritime OSINT, Secrets

"All the labs really reinforce the lessons." - Patrick Murphy, Palo Alto Networks

"The labs were very helpful in solidifying the content and gettings hands-on experience." - Cynthia Brewer, Booz Allen Hamilton

Syllabus Summary

  • Section 1: Disinformation, Intelligence Analysis, Russian and Chinese OSINT
  • Section 2: Intelligence Analysis and Data Analysis with Python
  • Section 3: Video, Image and Audio Analysis, AI for OSINT, Advanced Enumeration and Gaming
  • Section 4: Sock Puppets, OPSEC, Dark Web, Cryptocurrency and Wireless
  • Section 5: Automated Monitoring, Vehicle Tracking, and Dealing with Password-Protected Files
  • Section 6: Capstone

Additional Free Resources

What You Will Receive

Physical and digital workbooks and a course specific Virtual Machine (VM) tailored for this Advanced Open Source Intelligence Gathering and Analysis course

Syllabus (36 CPEs)

Download PDF
  • Overview

    We live in an information age where disinformation is becoming more and more common.

    In the first section of day 1 students will learn what disinformation is by understanding how disinformation campaigns are set up and deployed.

    Standard intelligence information analysis techniques and processes for assessing the reliability of information are a key element of intelligence, and application of these techniques to OSINT are discussed.

    We have a section on how to analyze gathered OSINT information using several reliability rating and analytic assessment techniques such as Admiralty code, Analysis of Competing Hypothesis and CRAAP analysis. These techniques will help students to make their overall analysis outcome become more solid.

    Many of the targets of OSINT work may be individuals who like to identify themselves within a group or as part of a group, so we'll cover how to analyze sensitive groups and individuals who identify with groups online.

    There's an all-new section on Russian OSINT covering social media and other popular sites, Russian focused facial recognition searches and finding foreign ties to U.S. owned businesses.

    There's also an all-new section on Chinese OSINT covering topics including translation options and overcoming difficulties with creating accounts including methods for acquiring +86 Chinese phone numbers and accessing websites only available in China, without relying on western VPNs.

    Exercises
    • Analyzing the Macron video
    • (Optional) Checking Disinformation
    • Russian Facial Recognition
    • U.S. Foreign Agents Registration Act (FARA)
    • Accessing Chinese Websites
    Topics
    • Detecting and analyzing disinformation and fake news
    • Understanding reliability rating models for OSINT
    • Rating the reliability of information
    • US Army OSINT and the Admiralty/NATO system
    • Currency, Relevance, Authority, Accuracy & Purpose (CRAAP)
    • Standard intelligence assessment techniques
    • Analysis of Competing Hypotheses (ACH) and other methods
    • Use of Unique Identifying Labels (UILs)
    • Identifying Sensitive Groups using UIL techniques
    • Russian OSINT including facial recognition and creating accounts
    • Identifying Russian businesses with licenses to do classified work
    • Identifying foreign ties to U.S. businesses
    • Accessing Chinese websites which only allow domestic visitors
    • Dealing with account creation challenges on Chinese apps
  • Overview

    This content is all new, includes seven new hands-on labs and requires no previous experience! We start off with the building blocks of Python that are most important for OSINT and keep increasing the functionality to perform such tasks as web scraping, all while managing our attribution.

    We use Python to build an automated intelligence dashboard that updates in real time and can be customized in endless ways. We cover out to utilize third-party APIs including those belonging to AI providers to help us automatically evaluate programs and perform other tasks.

    Finally, we end the section by covering persistent monitoring of sites like Telegram and Discord, and how we can move our Python code to the cloud using serverless infrastructure like AWS Lamba.

    Exercises
    • Python Level 1
    • Python Level 2
    • Python Level 3
    • Python Level 4
    • Python Level 5
    • Python Level 6
    • Python Level 7
    Topics
    • Python fundamentals for OSINT
    • Web requests and parsing web pages
    • Managing attribution with Python
    • Intermediate web scraping
    • Creating an automated intelligence dashboard
    • Interacting with APIs, including AI
    • Persistent Monitoring
    • Automating your Python code in the cloud
  • Overview

    This section starts off with practical and advanced image and video verification techniques and then shifts into an all new section on steganography including a lab on using, and detecting steganography.

    There's an all new section on AI for audio analysis including transcription, translation, speaker diarization (identifying which speaker said which words) and speaker recognition.

    We will then discuss practical ways to incorporate artificial intelligence into their OSINT research as both a means for increasing our efficiency and effectiveness, but also in detecting AI being used by others to generate content.

    We will discuss some advanced enumeration techniques where we cover methods to find domains related to your target, to discover difficult to find infrastructure on websites and in the cloud, and perform 100% passive enumeration on a target website.

    Finally, we end with an all new section on gaming OSINT discussing why it's important and key sites for searching and monitoring the space.

    Exercises
    • Image Verification
    • Video Verification
    • Steganography
    • Speaker Diarization
    • Advanced Enumeration
    • Gaming
    Topics
    • Image analysis and reverse image searches
    • Video analysis
    • AI for Audio analysis
    • AI for OSINT
    • AI for automating social media accounts
    • Detecting AI generated content
    • Automated scans of a website for sensitive files
    • Discovering cloud-based assets
    • 100% passive enumeration of a website
    • Gaming OSINT
  • Overview

    This day starts off with instruction on useful concepts for creating and maintaining fictitious identities (sock puppets), particularly those used to interact with others, and how to maintain Operations Security (OPSEC).

    Within SEC587, students will get a more advanced understanding of how OSINT techniques can be applied on the Dark Web by learning about the criminal underground including the initial access marketplaces fed by data stealer logs. Students will learn advanced techniques for finding the true location of servers hosting sites on the dark web as well as automated methods for dark web monitoring.

    We will discuss the fundamentals of cryptocurrency, techniques for tracking public cryptocurrency transactions, and how to identify transactions involving sanctioned entities. These topics are also covered in an all-new cryptocurrency lab.

    Understanding wireless capabilities is becoming more important to OSINT practitioners so we finish with a brief overview of wireless technologies such as Wi-Fi, Bluetooth and software defined radios (SDRs) as well as a lab where demonstrate how to detect modern drones and research their identifiers.

    Exercises
    • Network OPSEC Analysis
    • Dark Web De-Anonymization
    • Dark Web Search
    • Cryptocurrency
    • Detecting Modern Drones
    Topics
    • Creating and maintaining false personas
    • Communicating with targets and other sources of information
    • Operational security (OPSEC)
    • Searching for dark web content
    • Essential cybercrime underground concepts
    • Technical methods to de-anonymize dark websites
    • Understanding cryptocurrency and the blockchain
    • Identifying cryptocurrency addresses tied to sanctioned entities
    • An overview of the wireless spectrum and widely used technologies
    • Detecting modern drones including the newest DJIs
  • Overview

    Day five will start with tools and techniques that will aid OSINT analysts in using and building their own monitoring and online searching tools. This section will teach students how to utilize third party web-based monitoring tools as well as how to monitor various topics of interest. We'll also have an all new lab where we use a workflow automation framework which can be locally hosted to mitigate budget and/or OPSEC issues.

    We'll cover technical methods to access information in password-protected files encountered online and will also learn how to find, gather, and analyze information that is related to vehicles (cars, boats, planes, etc.) using open-source information.

    We'll end the day by using automated methods to identify sensitive credentials in various offline and online sources.

    Exercises
    • N8n
    • SearxNG
    • Dealing with Password Protected Files
    • Aviation OSINT
    • Maritime OSINT
    • Secrets
    Topics
    • Practical OSINT monitoring using web services
    • Automated internet monitoring using third-party tools
    • Utilizing a self-hosted workflow automation framework
    • Visualization of data sets to support network analysis
    • Collection and analysis of open-source vehicle tracking information
    • Methods to access information in password-protected files
    • Methods to identify sensitive credentials in both offline and online repositories
  • Overview

    This will be the capstone for SEC587 that brings together everything that students have learned throughout the course. This will be a team effort where groups compete against each other by collecting OSINT data about live online subjects. The output from this capstone event will be turned in as a deliverable to the client (the instructor and fellow classmates). This hands-on event reinforces what students have practiced during labs and adds the complexity of performing OSINT using Python code and various advanced OSINT techniques under time pressure as a group.

Prerequisites

SEC587 is a fast-paced, advanced course that is meant to build upon previous knowledge and experience in OSINT. The SANS SEC497: Practical Open-Source Intelligence (OSINT) course is recommended, but not required prior to taking this course.

  • Basic knowledge and experience with open-source intelligence collection.
  • Rudimentary understanding of intelligence analysis
  • Knowledge of how to use a Virtual Machine (VM)

Laptop Requirements

Important! Bring your own system configured according to these instructions.

A properly configured system is required to fully participate in this course. If you do not carefully read and follow these instructions, you will not be able to fully participate in hands-on exercises in your course. Therefore, please arrive with a system meeting all of the specified requirements.

Back up your system before class. Better yet, use a system without any sensitive/critical data. SANS is not responsible for your system or data.

MANDATORY SEC587 SYSTEM HARDWARE REQUIREMENTS
  • CPU: 64-bit Intel i5/i7 (8th generation or newer), or AMD equivalent. A x64 bit, 2.0+ GHz or newer processor is mandatory for this class.
  • CRITICAL: Apple systems using the M1/M2 processor line cannot perform the necessary virtualization functionality and therefore cannot in any way be used for this course.
  • BIOS settings must be set to enable virtualization technology, such as "Intel-VTx" or "AMD-V" extensions. Be absolutely certain you can access your BIOS if it is password protected, in case changes are necessary.
  • 16GB of RAM or more is required.
  • 50GB of free storage space or more is required.
  • At least one available USB 3.0 Type-A port. A Type-C to Type-A adapter may be necessary for newer laptops. Some endpoint protection software prevents the use of USB devices, so test your system with a USB drive before class.
  • Wireless networking (802.11 standard) is required. There is no wired Internet access in the classroom.

MANDATORY SEC587 HOST CONFIGURATION AND SOFTWARE REQUIREMENTS

  • Your host operating system must be the latest version of Windows 10, Windows 11, or macOS 10.15.x or newer.
  • Fully update your host operating system prior to the class to ensure you have the right drivers and patches installed.
  • Linux hosts are not supported in the classroom due to their numerous variations. If you choose to use Linux as your host, you are solely responsible for configuring it to work with the course materials and/or VMs.
  • Local Administrator Access is required. (Yes, this is absolutely required. Don't let your IT team tell you otherwise.) If your company will not permit this access for the duration of the course, then you should make arrangements to bring a different laptop.
  • You should ensure that antivirus or endpoint protection software is disabled, fully removed, or that you have the administrative privileges to do so. Many of our courses require full administrative access to the operating system and these products can prevent you from accomplishing the labs.
  • Any filtering of egress traffic may prevent accomplishing the labs in your course. Firewalls should be disabled or you must have the administrative privileges to disable it.
  • Download and install VMware Workstation Pro 16.2.X+ or VMware Player 16.2.X+ (for Windows 10 hosts), VMware Workstation Pro 17.0.0+ or VMware Player 17.0.0+ (for Windows 11 hosts), or VMWare Fusion Pro 12.2+ or VMware Fusion Player 11.5+ (for macOS hosts) prior to class beginning. If you do not own a licensed copy of VMware Workstation Pro or VMware Fusion Pro, you can download a free 30-day trial copy from VMware. VMware will send you a time-limited serial number if you register for the trial at their website. Also note that VMware Workstation Player offers fewer features than VMware Workstation Pro. For those with Windows host systems, Workstation Pro is recommended for a more seamless student experience.
  • On Windows hosts, VMware products might not coexist with the Hyper-V hypervisor. For the best experience, ensure VMware can boot a virtual machine. This may require disabling Hyper-V. Instructions for disabling Hyper-V, Device Guard, and Credential Guard are contained in the setup documentation that accompanies your course materials.
  • Download and install 7-Zip (for Windows Hosts) or Keka (for macOS hosts). These tools are also included in your downloaded course materials.

Your course media is delivered via download. The media files for class can be large. Many are in the 40-50GB range, with some over 100GB. You need to allow plenty of time for the download to complete. Internet connections and speed vary greatly and are dependent on many different factors. Therefore, it is not possible to give an estimate of the length of time it will take to download your materials. Please start your course media downloads as soon as you get the link. You will need your course media immediately on the first day of class. Do not wait until the night before class to start downloading these files.

Your course materials include a "Setup Instructions" document that details important steps you must take before you travel to a live class event or start an online class. It may take 30 minutes or more to complete these instructions.

Your class uses an electronic workbook for its lab instructions. In this new environment, a second monitor and/or a tablet device can be useful for keeping class materials visible while you are working on your course's labs.

If you have additional questions about the laptop specifications, please contact support

Author Statement

"I am truly honored and thrilled to join the team as a co-author for the SANS SEC587 Advanced OSINT course. It is a privilege to contribute to the development of a curriculum that empowers students with cutting-edge skills to navigate the vast and ever-evolving landscape of open-source intelligence. I am excited to build on a foundation laid out in the SEC497 OSINT course and explore advanced topics focused on equipping professionals with the necessary tools and techniques to effectively gather, analyze, and utilize information in an effective and responsible manner."

-Matt Edmondson

Reviews

This content is the next level for OSINT researchers. It fills in the areas that I have not been using but wanted to learn.
Janie Brewer
Oracle
Having a broad coverage over multiple areas of OSINT is really helpful to reinforce the fundamentals and understand the diverse applications of an open source investigator's skills.
Dan Black
Very relevant material that provided a lot of good resources for my day to day work.
Christopher Brown

    Register for SEC587

    Learn about Group Pricing

    Prices below exclude applicable taxes and shipping costs. If applicable, these will be shown on the last page of checkout.

    Loading...