OSINT Analysis Guide
OSINT Analysis Guide#
OSINT analysis connects identifiers extracted from case evidence to public sources. It is a tracking map, not a standalone conclusion, and should be reviewed alongside AI analysis, manual review, timeline analysis, and malware analysis.
What It Tracks#
| Target | Purpose |
|---|---|
| Emails and usernames | Public web leads, exposure metadata, and repeated use across cases |
| IPs, domains, and URLs | DNS, registration data, certificates, reputation, and threat-intelligence leads |
| File hashes | Malware repository metadata, reputation, and case-local execution traces |
| Wallet and onion identifiers | Relationship leads within public sources the user is authorized to review |
How To Use It#
- Open the OSINT Analysis tab after collection and basic indexing are complete.
- Review the highest-priority pivots first.
- Separate default public lookup results from external sources that require your API key.
- Corroborate confirmed leads in AI analysis, manual review, timeline, and malware analysis.
- Keep public-source findings, case-local evidence, and unqueried external sources separated in reports.
When External Sources Help#
Default public lookups and case-local correlation work immediately. External sources such as VirusTotal, MalwareBazaar, ThreatFox, and URLhaus may have their own terms and commercial-use conditions, so customers can register their own API keys to run broader reputation and threat-intelligence lookups.
Registering external sources can expand coverage for:
- Known malicious IP, domain, and URL reputation
- File-hash metadata from malware repositories
- Public exposure metadata for emails and domains
- Correlation between malware IOCs and case evidence
Reading Results#
| Status | Meaning | Recommended action |
|---|---|---|
| Public-source hit | A related lead was found in a public source | Compare timestamp and context with original evidence |
| Case-local evidence | The identifier exists in case evidence but lacks public confirmation | Review timeline and manual evidence context |
| More lookup available | External sources requiring an API key or terms review remain | Register the source if broader coverage is needed |
| No public match | The queried public source did not show a match | Do not treat this as proof that no exposure exists |
Not Supported#
unJaena AI does not perform high-risk tracking methods.
- Private-account access, credential use, or access-control bypass
- Real-time location tracking
- Tor deanonymization
- Collection or storage of raw breach dumps, passwords, tokens, or session cookies
- Unauthorized personal-data collection or third-party account intrusion
Example Questions#
- "Check whether IPs and domains extracted from this case are known malicious infrastructure"
- "Track whether the discovered email addresses appear in public web leads or other cases"
- "Compare the malware file hash with execution traces inside the case"
- "Summarize public-source leads that may relate to exfiltration"
Next Steps#
Continue in the service
Move from this guide into a sample workflow or the relevant upload surface. Upload real evidence only when you have lawful authority.