A few months ago, I wanted to try to practice my OSINT skills by looking up missing people by checking out the National Center for Missing & Exploited Children website. One of the people that I was checking on was a 14 year old girl who had been missing for about a week.
I started by looking her up on Facebook and found 2-3 Facebook and Instagram accounts a piece. Nothing of them showed much activity. Then I spread out by looking at the friends that this person took selfies with first. One of the friends had a few pictures with this girl that were fairly recent and within the time that this girl was missing.
I went to (what was then) the OSINTCurious Discord server to ask some questions about what I found. I was given some great suggestions:
- What I was doing was potentially dangerous if I was not using good OPSEC. I was, but I knew to be extra careful anytime I am working with the real world and not in the safe confines of a practice CTF exercise.
- I am not a professional. I am barely an amateur. I should not assume that I have all of the answers or that I know exactly what I am doing.
- I should not contact anyone, especially not the families of the people involved. I probably shouldn’t even contact law enforcement unless I knew exactly what I was doing or I had discussed it with someone else first.
All of this is good advice and these are most likely lessons that have been learned the hard way. If I want to be involved in the OSINT community, it’s best that I learn slowly and do things the right way.
I ended up deleting the temp VM that I had been doing this work on so as to not take any chances and I have’t done that exactl exercise again. Is there any harm in Googling people? Probably not but you also don’t know the complications that can arise in the real world if you don’t know what you’re doing.