OSINT: Pivoting From a Single Artifact
contents
Good investigation isn’t about knowing a hundred sites. It’s about disciplined pivoting: every artifact is a node, every relationship is an edge, and your job is to expand the graph without drowning in noise.
Start with one node
Say you have a single email address. Don’t grep the whole internet — ask what linked identifiers it can yield:
email
├─ username (local-part reuse)
├─ breach appearances → passwords, other emails
├─ gravatar / avatar hash → image
└─ account existence across platforms
The pivot loop
Each new artifact re-enters the same loop. I keep it explicit so I don’t wander:
- Extract — what identifiers does this artifact contain?
- Expand — resolve each identifier to accounts/records.
- Corroborate — does a second, independent source agree?
- Record — add the node + edge to the graph with a source citation.
Rule I never break: one unconfirmed source is a lead, not a fact. Two independent sources make an edge. Everything on the board is labeled with its confidence.
Usernames are the richest pivot
A reused handle is a gift. A quick existence sweep across platforms:
# check a handle across sites, then eyeball the true positives
sherlock "$HANDLE" --timeout 10 --print-found \
| tee "recon/${HANDLE}.txt"
Automated hits are candidates. Confirm each one manually — avatar match, bio overlap, join date, writing style. Tools find; humans decide.
Map, don’t list
The deliverable is a graph, not a spreadsheet of links. I drop entities into a link-analysis view so relationships surface:
- Nodes = people, accounts, domains, images.
- Edges = “controls”, “reused”, “registered”, “appears-with”.
- Color = confidence.
The picture tells you where the next pivot has the most leverage — usually the node with the most low-confidence edges begging to be confirmed.
Stay clean
Investigate from a compartmented environment, log your sources as you go, and keep to passive collection unless you have explicit authorization to do otherwise. The methodology is the same whether the target is a threat actor or a phishing domain — only the authorization changes.
Single artifact in, mapped network out. The discipline isn’t the tools — it’s refusing to add an edge you can’t cite.