OSINT Training: How to Learn Internet Investigations

NetBootCamp’s Internet investigations training program is a road map for building well-rounded investigators.

The training program is frequently used to develop the best practices and full-range skills of new hires and as continuing education for staff looking to expand their knowledge in tools and topics.

Classes are sequentially numbered in each of the core areas. This guides clients through course selection and it outlines the progressive study program.

Three core studies begin with Basic Internet investigations. The training builds upon that foundation with Website Investigations, followed by the Social Media Investigations program. You’ll find also find specialty skills in the OSINT / Internet Tools and Internet Evidence sections.

Contact us direct to build your training program or to inquire about coaching.

HOW TO VIEW CLASSES: Select a gray Tab to reveal class details.kb-linkarrow

Basic Internet (B)

InfoHow The Internet Works (B)Investigation Tools & Software (B1)Search Techniques (B2)IP Addresses (B3)Traceroutes & Networks (B4)Email Investigations (B5)Anonymous Surfing (B6)HTML for investigators (B7)TOR (B8)BitTorrent (B9)
Bootcamp Track 1:
Introduction to IP addresses and networks. Geo-location, traceroutes, ISPs and ASNs, DNS, Reverse Whois, advanced search, and more.

Introduction: Foundations of the Internet & Investigations

  • The Internet as a network of lines, data centers, servers.
  • How traffic is routed from your PC to a website.
  • Intermediaries to consider for investigations.
    – ISP, DNS, servers, CDNs, ASNs (networks)
  • How websites are constructed and visitors are managed.
    – HTML, Robots.txt, .htaccess, and more
  • HTTP status codes: Understanding changes on a web page.
    – 404 and other status codesSession includes: Downloadable references and review

The Investigator’s computer is set up with the core recommended tools.

  • Recommended desktop and portable applications, browsers, bookmarks, and add-ons are provided via download.
  • Instructor introduces the functions of tools and provides recommendations for essential subscriptions.

Advanced search: Methods to re-think search and extract data from websites and search engines.

  • Google advanced search operators are introduced with practical exercises.
  • Recommended uses for Bing and foreign language search engines are also discussed.
  • Methods to search online drives to locate public files are covered with Google Drive & Picasa, Skydrive, Dropbox, Box.
  • Search methods to target profiles, forums, and specific platforms like cyberlockers, blogs, FTP, and social networks are covered.
  • Visual web crawling tools are introduced for extracting data from the target directly or through Google.
  • Tools to monitor RSS feeds and create search alerts are provided.

Session includes: Practical exercises, tools, downloadable resources.

Understanding how the Internet works and how it is abused

  • Introduction to IP addresses: IPv4
  • AS Numbers: ISPs that peer with other ISPs
  • IP address details
  • DNS: How Domain names are resolved
  • IP address geolocation
  • Rogue ASNs and ISPs
  • Overview of IPv6
  • Practical exercise: Tools, Exercise handouts, Online resources
Understanding ISPs, how traffic is exchanged, and how tools are misled

  • Troubleshoot ISP and server location
  • Identify ASN, DNS, MX , reverse IP, subdomains
  • Server location obfuscation:  Proxies, CDNs, rWhois contacts
  • Enumerate domains and IP addresses on an ISP
  • Advanced tracerouting

Some website owners operate their own ISP via a reassigned IP addresses. Some also use online, intermediary services like CloudFlare to conceal the server location. Investigators will learn how to investigate web hosting and verify server locations via peering, datacenter maps, traceroute, and more.

More than an IP address:  Finding additional clues about a sender via headers

  • Read email headers: IP address, sender’s computer name
  • Comparison of Gmail, Yahoo, Hotmail, and web hosted email
  • IP address proxies and date time stamps
  • Undercover email considerations

Investigators will learn how to read email headers and how email clients, web hosted mail, and proxies alter the details. Potential header details such as the sender’s computer name, city location, and time zone will also be discussed. Undercover considerations and basic trap-and-trace methods will be introduced for capturing similar information from a recipient.

What website operators know about you: How to get blocked,  how to stay anonymous

  • Operators block visitors, referral links, countries: .htaccess
  • Staying anonymous: Cookies, Proxies, and Search
  • Checking your IP address
  • Checking browser geolocation leaks

Other anonymizers

Introduction to HTML and source code clues


  • Meta description
  • Meta keywords
  • Script author and hosting locations


  • CSS
  • Themes
  • Image hosting
  • Video Hosting
  • iFrames
  • Blogger accounts
  • Authors and Email accounts


  • Publisher codes
  • Advertising codes
  • Analytics codes
  • Sharing widget codes
  • Theme author

Overview of TOR and the Onion Network

  • TOR Bundle installation
  • TOR search listings
  • Investigation considerations for TOR
Exchanging files and IP addresses:  BitTorrent Network

  • Overview of BitTorrent and P2P file sharing
  • Indexing sites, Trackers, Seeders, Leechers, and more
  • Examining the activity, estimating volumes
  • BitTorrent client installation
  • Investigation considerations for BitTorrent

Website Investigations (W)

InfoDomains (W1)Related websites (W2)Profiling (W3)e-Commerce (W4)B2B exports (W5)Payment Processing (W6)Ad Revenue (W7)Stream/Link (W8)Live Stream (W9)Cyberlocker (W10)BitTorrent (W11)Mobile (W12)
Bootcamp Stage 2: Introduction to domain and operator investigations: HTML, related websites, revenue, e-commerce, streaming, downloads, counterfeits, and more.
On the surface: Domain investigations

  • Intro and Impact: Registrars, Registrants, TLDs and ccTLDs
  • DNS in more detail: Subdomains, Domains, URLs, & Lookups
  • WhoIs lookup
  • Domaintools: A database subscription service
  • Centralops: Live domain lookup
  • ccTLD lookups: Example tools by country and domain
  • Registration privacy protection services
Domain investigations expanded: Identifying operators and their related websites

  • Locating additional domains/websites for a common operator
  • Shared IP address lookup tools
  • Shared services lookup tools
  • Shared design lookup tools
  • Shared content lookup tools
  • Payment processors, advertising, and social media widgets
  • Nearby sites lookup
  • Inbound/Outbound link lookup
  • Prior domain sales lookup
Preliminary assessments: Looking at websites in action

  • Gaining insight on operators and enforcement potentials
  • Content: Prices, titles, shipping, payment
  • Web page archives, Search cache, and Robots.txt
  • SEO and HTML clues
  • Spiders to quickly assess content: Titles, Meta descriptions, page count
  • Concealing web pages: iFrames and Divs
  • Locating elements essential to the operation of the site
  • HTTP header clues
  • IP address packet clues
  • Inspecting video streams and digital downloads
  • Force downloading videos
  • Traffic estimation
Intro to e-Commerce:  Adding payment processing and shipping to the mix

  • Initial profiling: Content, Payment, Shipping, Images, Analytics
  • Locating infringing sellers
  • e-Commerce investigation example and considerations
  • UPC data search: Verify counterfeits, check retail prices
  • Trademark lookup
  • Copyright lookup
  • Considering State vs. U.S. Federal charges

Auction and Sale platform investigations

  • Intro to Auction websites and sales platforms
  • Initial profiling: Content, Payment, Shipping, Images
  • Locating infringing sellers and sales data
  • Ebay
  • PayPal
  • Other sales platforms: Sell, Bonanza, eCrater, and more
  • Locating infringing sellers
  • Auction investigation example and considerations
  • Setting up RSS feeds to monitor sales platforms

Classified Ads: Craigslist investigations

  • Initial profiling: Content, Email, Phone, Location, Images
  • Backpage and other platforms
  • Classified Ad investigation example and considerations
  • Setting up RSS feeds to monitor listings
  • Crawling sites vs crawling search engines
  • Terms of Service and enforcement trends
B2B: Importer/Exporter website investigations

  • Introduction: Business-to-Business platforms and Drop shipping
  • Initial profiling: Content, Payment, Shipping, Images, Analytics
  • B2B seller investigation example and considerations
Payment processing: Investigation and enforcement strategy

  • How credit card networks operate
  • PayPal
  • Other payment gateways
  • BitCoin
  • Investigation considerations: Undercover, BitCoin, and more
  • Example payment processing investigations
Monetization and Malware: Advertising enforcement strategy

  • How ads are placed on websites
  • Affiliate referral examples
  • How to identify ad network vs ad server code
  • Investigation considerations: Country, Business implications
  • Example advertising investigations
Streaming and link website investigations

  • Intro to streaming and link website investigations
  • Initial profiling and differences in a regional operation
  • Link website investigation example and considerations
Live streaming website investigations

  • Intro to live streaming website investigations
  • Initial profiling
  • Link website investigation example and considerations
Cyberlocker website investigations

  • Intro to cyberlocker investigations
  • Initial profiling: DDL and Streaming
  • Cyberlocker investigation example and considerations
  • Practical exercise: Tools, Exercise handouts, Online resources
Intro to BitTorrent investigations
  • Initial profiling: Index sites, Trackers, Ancillary services
  • BitTorrent investigation example and considerations
  • Inspecting iPhone Apps (non-forensic)
    • Streaming app example

     Android App inspection (non-forensic)

    • Introduction to reviewing Android apps

    Social Network Investigations (S)

    InfoOnline referencesScreen names (S1)Social networks (S2)Facebook (S3)OSINT (S4)Advanced Social Networks (S5)Facebook FQL (S6)ID verification (S7)Twitter/Vine (S8)Instagram (S9)Snapchat (S10)Foreign Networks (S11)Updates (S12)
    Bootcamp Stage 3: Introduction to screen name and social network investigations: Extract data from profiles and images, associate and connect profiles, verify identities.
    Introduction: Screen Name Investigations

    • Screen names are our online identities and reputation
    • Connect to real people, places, content, connections
    • Strategy to screen name investigations
    • Tools to identify screen name profile on social networks
    • Search techniques and tools to target specific networks
    • Example investigation: From screen name to identity
    Intro to Social Networks and Social Media

    • Facebook Basic Search
    • Twitter
    • Google+
    • Real-time conversations: Facebook, Twitter, Google+
    • Linkedin
    • Pinterest
    • Instagram
    Intro to Facebook Investigations

    • Find a person based on an email address or screen name
    • Locate a witness based on general descriptions
    • Monitor  travel, communications, and connections
    • Locate people, photos, and comments at a place

    Conduct complex searches. Visualize connections.

    OSINT: Open Source Intelligence

    • Connecting additional details and activities to social profiles
    • Photo sharing: Flickr, Photobucket,
    • Video sharing: YouTube
    • Location sharing: Foursquare, Instagram
    • Blogs: Blogger, Tumblr, WordPress,
    • Audience specific: Netlog, Stumbleupon, Yelp, Reddit, and more
    Advanced Social Network Investigations

    • Investigations focusing on OSINT and Social Networks
    • Photo geolocation
    • Visualization / Organizational connection tools
    Advanced Facebook search using FQL
  • Intro to Facebook FQL
  • Best uses for FQL queries
  • Search results only FQL can deliver
  • Setting up a Facebook developer ID
  • Standard search queries
  • Translating social network and OSINT details into verifiable identities

    • Qualifying name, age, location, and other profile data online
    • Phone checks
    • Name checks
    • Real estate and tax assessor records
    • Credit checks
    • License checks
    • Other sources: Voter records, Lawsuits, and more
    • Business sources: Incorporation records, Non-profit filings, Government contractors
    • International checks
    • Subscription services
    Advanced Twitter search
    Vine video search
    Intro to Instagram

    • Instagram search via Image, Location, Time, User
    • Geo-location options
    Snapchat profiles

    Intro to Vkontakte

    • VK presence includes Europe and LATAM
    • VK site searches: Profiles, comments, photos, media

    Other networks

    Coming Soon

    Internet Evidence (E)

    InfoUndercover (E1)Websites (E2)Social networks (E3)Pay Processing (E4)Advertising (E5)Video/Digital (E6)Images (E7)Documents (E8)Phones (E9)Parcels (E10)Web Scraping (E11)App analysis (E12)iPhone (E13)Report writing (E14)Updates (S15)
    Focus on specific investigative activities that collect data.
    Undercover Investigations

    • Components of an undercover identity
    • Undercover email considerations
    • Undercover website benefits and considerations
    • IP trap and trace by email and website
    • Email: ReadNotify, Clicktale, PayPal
    • Undercover VOIP / SMS phone setup
    • Undercover payment processing setup
    • Considerations for Private vs. Corporate Investigators
    • Terms of Service and protecting your personal life
    Website evidence collection

    • Search techniques and tools to locate and target
    • Example investigation and evidence collection
    • Website network investigation
    • Website backup tools
    • Investigation considerations and enforcement

    Social Network page evidence collection

    • Search techniques and tools to target specific networks
    • Example investigation and evidence collection
    • Investigation considerations and enforcement
    Online revenue evidence collection

    • Payment processing: Investigation and enforcement strategy
    • How credit card networks operate
    • PayPal
    • Other payment gateways
    • Identifying banks associated with merchants
    • BitCoin
    • Investigation considerations: Undercover, BitCoin, and more
    • Example payment processing investigations
    Advertising and Affiliate Network evidence collection

    • Ad networks, Ad servers, and more
    • Inspecting HTML and ad placement
    • Hiding ad placement in iFrames and 3rd party websites
    • Affiliate referral examples
    • Investigation considerations: Country, Business implications
    • Example advertising investigations
    Videos and Digital evidence

    • Introduction to online videos and digital files
    • Locating source files
    • Unique data points
    • Examining clues within digital files
    • Example video and digital file investigations
    Image evidence: Internet hosted

    • Exif & Geo-location: Potential to ID location and device
    • Photo search engines
    • Reverse image search
    • Exif availability on social networks and image host
    • Eliciting images
    Documents: Internet hosted

    • Finding documents online: Hosted and Leaked
    • Social sharing site profiles
    • Sites with available document meta data
    Phone number investigations

    • Phone number validation: Landline, Mobile, VOIP
    • Reverse phone number lookup
    • Neighbor subscriber lookup by address
    • Caller ID
    • Skype, Google Voice, and other services
    • International phone lookup
    Parcel investigations

    • Introduction to international parcel shipping and routes
    • Parcel tracking
    • Parcel evidence collection
    Web scraping
    Introduction to visual web scraping: Websites and Search

    • Importance of using a proxy IP address
    • Browser tool example
    • Desktop tool examples
    • SEO tool examples and why they’re helpful
    • Terms of Service enforcement trends
    Coming Soon
    Note: This is not a forensics class
    Coming soon

    Note: This is not a forensics class

    Evidence and report writing best practices

    • Overview of report writing and online evidence handling
    • Federal crime statutes
    • Corporate vs. Private Investigator considerations
    Coming Soon

    Internet Tools (T)

    InfoBasic Internet ToolsWebsite Investigation ToolsSocial Network ToolsEvidence ToolsPC Maintenance ToolsAPIs & AutomationToolbox
    How-to videos, tool reviews, and hands-on techniques for desktop applications and online investigative resources.
    Robtex.com (T1)
    Key feature: Network tool for troubleshooting IP addresses, ISPs, and Network peering
    Locate other websites sharing services
    Identify sites hosted on same ISP or IP address block
    Troubleshoot CloudFlare or location of a server or network


    Domaintools.com (T2)
    Key feature: Whois History, Hosting & Nameserver history
    Locate operators through historical records
    Connect websites and operators through hosting & nameservers

    Traceroute and Ping
    Traceroute services: Visualroute and Hurricane Electric Looking Glass
    Feature: Troubleshoot server location from multiple locations

    Ping services: Startping.com
    Feature: Ping server/IP address of last traceroute hop
    Calculate distance/location based on speed of light

    Packet analysis and HTTP traffic
    Packet tools: Smartsniff, ShowTraffic, HTTPFox, Fiddler2, Wireshark
    Features: Identify connected services and hosting location

    DNS tools: IntoDNS.com, Network-tools.com
    Feature: Identify start of authority and hosting details

    Anonymous surfing
    Proxy tools: Hidemyass VPN, Tunnelbear.com, Cyberghostvpn.com and others
    Feature: Visit websites and download content via other IP addresses
    View websites blocking your IP address or your country’s address

    Monitoring tools
    Uptimerobot.com, Monitis.com / Monitor.us, Page2rss.com

    …and more coming soon

    Reverse Internet
    ReverseInternet tools: SameID.net, Reverseinternet.com, Spyonweb.com+
    Feature: Connect multiple websites to an operator or group via shared assets
    Hosting, Start of Authority, Publisher codes, Analytics accounts, and more


    Web scraper
    Web scraper tools: WebHarvy, Datatoolbar, Screaming Frog+
    Feature: Easily crawl websites, collect data, identify related media hosting locations, and more

    Backlink tools: URLfind.org, Ahrefs, MajesticSEO, Backlinkswatch +
    Feature: Identify related sites via inbound links, Identify top referring traffic

    Decryption tools: Yellowpipe+
    Feature: Decode operator’s HTML or hidden links using Base64 and other encryption

    …and more coming soon

    Social network tools

    Social network image geolocation
    Tinfoleak + Tweepy


    Facebook Visualizer
    Github (to be tested)

    Evidence capture tools

    Techsmith Camtasia
    Chrome and Firefox add-on Fox clocks
    Firefox add-on WIPmania


    Evidence notetaking

    Evidence storage

    …and more

    PC maintenance and security tips covering disk cleaning, virus detection, security scans, and more

    PC Monitor

    …and more

    Introduction to APIs (Application Program Interface)


    Social Network APIs
    API: Apigee.com Console
    Features: Advanced queries on Facebook, Instagram, Twitter+

    People search APIs
    API: Pipl.com
    API: Fullcontact.com

    Email search APIs
    API: Towerdata.com
    Feature: -ID Email demographics:

    API: Toofr.com
    Feature: ID emails on a domain

    API: Briteverify.com
    Feature: Bulk email verification

    Phone APIs
    API: Whitepages.com
    Feature: Bulk Phone lookup

    API: Opencnam.com
    Feature: Caller ID lookup

    Website APIs
    API: Domaintools.com
    Feature: Whois and hosting lookups

    API: Instagram.com
    Feature: Instagram image and geolocation

    API: Facebook.com
    Feature: Advanced Facebook Graph queries

    Task Automation
    Automation tool: IFTTT.com If This Then That
    Feature: RSS, Alerts+

    Automation tool: Zapier.com
    Feature: RSS, Alerts+

    …and more coming soon

    NetBootCamp’s portable Firefox browser configured for investigations

    • Desktop apps for PC
    • Browser bookmarks
    • Browser add-ons
    • Pre-set custom search options

    …available soon to students