This is part two of a five-part email series called OSINT Foundations.
This series is a quick introduction to some of the foundations of open source intelligence.
In the last email, I talked about the OSINT lifecycle. The lifecycle starts with a question you are trying to answer. You can read that email here.
But before you start searching, you need one more thing - scope.
What is scope?
Scope is the boundary line around an OSINT investigation. It defines:
The subject of the investigation
The question you are trying to answer
The sources and methods you can use
The legal and ethical boundaries
The time period you will search
What ‘done’ looks like
This matters because the question you are trying to answer is not always as obvious as it sounds.
For example, let’s say you are assisting law enforcement on a missing persons case.
The overall goal may be to help bring the person home safely. But your OSINT question may be narrower:
Can we identify recent online activity, locations, associates, or posts that may help investigators understand where to look next?
An investigation without scope
Without scope, an investigation can quickly get off track.
A username leads to a profile.
A profile leads to another account.
That account leads to an old post.
The old post leads to another person.
Before long, you have 100 tabs open and are no closer to answering the original question.
It can feel productive to chase everything you can find, because you are finding information.
But finding information is not the same as answering the question.
How to define the scope of the investigation
A simple way to set the scope is to answer four questions before collection begins:
Who or what is the subject?
What specific question am I trying to answer?
What legal and ethical guardrails apply?
What does “done” look like?
That last question is important.
If you don’t know what “done” looks like, the investigation can easily keep expanding forever.
It’s easy for me to say, but it’s harder in practice because we get so into the investigation it’s hard to stop.
Good scope makes the work more focused. It helps you avoid irrelevant rabbit holes, collect more intentionally, and stay inside the legal and ethical boundaries of the work.
It also makes reporting easier later, because you can explain how you moved from the original question to the sources you searched, the information you found, and the conclusion you reached.
Scope does not mean the investigation can never change.
Remembering this helps me not chase every lead, because I know we can always come back to it later if we determine it would help the investigation.
New information may require you to adjust the scope. But that should be done intentionally, not accidentally because you followed another rabbit hole.
I have a good story about an investigation where I didn’t set a clear scope. I don’t want to make this email too long, so I’ll talk about that in the next episode of The OSINT Files Podcast.
The next email will cover collection methods and methodology.
See you soon,
David