The Lego Method: An Investigator's Process for Enhancing OSINT

My bewildered colleague, who wanted to observe a digital investigation, struggled to comprehend my focus on the Facebook profile of a seemingly unimportant woman. I found her by reversing the phone number of a current tenant living where the subject allegedly resided. However, no obvious links between the two individuals existed: major age gap, different last names, and no shared email addresses or phone numbers. Due to the age and immigration status of the subject, little could be discovered via the use of online databases. Upon my fourth visit to the woman’s Facebook profile, my colleague, exasperated by what he felt to be a waste of time, protested by saying, “This woman is nothing more than a tenant, with no relevance to the case.” They wandered off, apparently bored by my methods. Twenty minutes later, I determined, and then confirmed, the woman to be the mother of the subject, and the foundation upon which I built my entire investigation. 

Whether you’re an anti-money laundering specialist, a private investigator, or in law enforcement, investigating insurance claims or tracking terrorists, the staples of investigative methodology, critical thinking, and strategic intelligence remain the same. All cases begin with an unreliable piece of the puzzle. Maybe it’s a referral from an insurance company, a report filed online, or a call placed by a frantic member of the public. The initial data given to you must remain suspect until its credibility is confirmed. No data, no matter how reliable the source, can be assumed as gospel truth until it has been vetted, cross-examined, and proven to be true. 

This also presents us with two fundamental principles we must address. 1. We must accept the fact we all have biases. 2. Biases must be recognized and rejected. Our quest is that of truth, facts, and evidence. Opinions we give are based on no less and no more than what is found and documented during our investigation. If we allow bias to creep into our research, it jeopardizes both the integrity of the investigation and our reputation as an analyst. How can I claim to be an expert witness if I allow my opinions, beliefs, or political affiliations to taint my perspective? Here is what I found and here is my analysis of what it means. No more, no less. Digital intelligence is the art of gathering relevant data so that “decision-makers” can be informed. Our role is not that of a decision-maker, but of a gatherer and presenter of actionable information.    

The objective of our case acts as an anchor. It roots us into the ground, keeping us from being blown about by the wind in any given direction. It prevents us from wandering down rabbit holes or being set adrift in a sea of information overload. The objective also works as a lantern, alighting our path, and assisting in the determination of what puzzle pieces are most critical to the completion of our case. Objectives come in all shapes and sizes: a skip trace can vary depending on if we are locating a witness (and is it a cooperative witness?), a suspect, or a missing child. An arson investigation changes when more than property has been lost. Homicide detectives approach the crime scene differently than the person conducting an heir search or working a liability claim. Once we are grounded in the reliability of our starting information, and clear on our client’s objective, we can begin a proper OSINT investigation. 

OSINT, or open-sourced intelligence, is a very broad term. This gathering of publicly available information, by first being armed with an objective, can be applied to corporations (business intelligence), financial institutions, investigative journalists, cyber security analysts (active OSINT), private consultants (passive OSINT), military, or any number of government acronyms or intelligence agencies. OSINT isn’t so much about the tools because many exist and many more still become obsolete given time. OSINT is about knowing what tool you need at the right time for the right information. This is essential since extremely rare is the investigation where time, energy, and resources are infinite. OSINT is central to digital investigations and is best approached by what I have come to call building blocks or the “Lego Method.” 

Every investigator begins with an objective and an unverified puzzle piece, also known as our starting data. It can be a name, a photo, a license plate, a username, or an audio recording. Sometimes, you are given enough starting data to create an entire PII profile of your subject rather quickly and can now attribute more time cleaning and analyzing data as opposed to gathering data. As investigators, we have no control over what data we receive when we begin our case, but we do control how we go about our investigation. The Lego Method, while not revolutionary by any means, has served me well in improving the accuracy of my results and focused the intention of my analytical summaries.   

The Lego Method is rather simplistic and is similar to assembling a lego set, brick by brick. First, verify your starting information through the process of gathering data and cross-examining it across several sources. If I am given a date of birth, such as 01-01-01, logic tells me this is likely an invalid date. Was it a typo? A static entry because the date of birth is unknown? This is unclear, so I research the subject through online databases. If they’re born in California, perhaps I check the California Birth Index. Or maybe I conduct searches on any number of information brokers, such as IDICore, Clear, and TLOxp. My sources serve as witnesses attesting to the truth of any given statement. The more sources that corroborate a piece of data, the higher my confidence in that data. The more inconsistencies I discover, the less confident I am in that data. 

This is also why searches conducted via an information broker, regardless of whom, is the starting point of an investigation and not the end-all. If your report is nothing more than a comprehensive report produced by LexisNexis, you’ve done a disservice both to your client and to your own reputation. Information brokers are great resources, but the process of cross-examination is in the INT in OSINT. It’s why OSINT analysts have so much in common with data scientists: our investigative methodology is firmly entrenched in the scientific process. We continually form a hypothesis, test that hypothesis, examine our results, and then adjust our hypothesis. Now, rinse and repeat. We do this until our hypothesis has been thoroughly tested, polished, and refined. 

This scientific method is at the heart of what the Lego Method is: a process of gathering data, cleaning data, analyzing data, and then repeating the process until you arrive at a conclusion satisfying the objective or your energy, time, and resources have been exhausted. OSINT isn’t limited to the digital world. It may involve phone calls or interviews. It may also include subpoenas and warrants. Additionally, the analytical process can be further improved through the use of link analysis technology, or a whiteboard if finances are tight. The core of the process remains steadfast: gather, clean, analyze, repeat, and then present.  

Knowing our objective and being aware of the constraints placed upon our time, energy, and resources, will help us to determine how we approach each area of our investigation (gathering, cleaning, analyzing) and how many times I will be able to repeat it. For example, an employment pre-screening will likely offer less time for gathering (meaning less available data for cleaning and analyzing) and will more than likely not leave time for a repeat process. You will be afforded one go-through and the case is closed. In contrast, an investigation conducted on a possible business partner for a corporate intelligence case offers a much bigger budget with expanded time, energy, and resources. Thus, this entire process will be repeated multiple times over, improving the details, accuracy, and complexity of the final report.

If I begin my investigation with a name and region, I may start with a simple surface-level search on the web. I gather the data, clean it for relevance, analyze it, and then re-enter the data into my search inputs. I repeat the process, strengthening my starting data with discovered data (i.e., date of birth, a social security number, a username, or place of employment). Once I have a clear portrait of my subject, I focus my search based upon my objective, as I dive deeper into the web for more data. For example, financially oriented investigations are more concerned with assets whereas court record searches are geared toward establishing a legal profile for the subject. The clearer my portrait of the subject, the quicker I become at cleaning data. The more detailed my objective, the better my analysis will be of the data. The better my starting data, the less time I spend on my initial gathering of data to verify my information.    

A major factor that also plays a vital role in the investigative process, but can be often overlooked, is the region in which the investigation is centered upon. More specifically, the culture of that area. I once conducted a hit-and-run investigation in an area where registering your vehicle is not common practice. You may mistakenly assume the name of your subject is unique until you factor in the culture. I call this the “X-Factor” of our investigative approach and must be kept in mind on a case-by-case basis. 

The Lego Method is best improved upon by constant practice and rigor devotion. When executed properly, I have found it has improved every aspect of my investigative process. It keeps me grounded, focused, and on-point. Of course, the key to my success as an investigator was never rooted in some superhuman attribute. I simply made it a practice to work on the cases no one else wanted to do. The nasty, complex, weird, horrible cases that a lot of other investigators may thumb their noses at. It’s understandable as they often lacked joy and delivered many a stress headache. However, the more I deployed and refined the Lego Method in these difficult cases, the quicker I became in tackling the easy, run-of-the-mill problems. And the more credible I became in helping others to find success in their cases while also improving the results of my own.