Go Back
Data Xposure Podcast

When What You Find Online Becomes Evidence—and a Liability | Data Xposure - Ep 15

What if the information you trust most is wrong? This episode explores how open source intelligence can strengthen investigations—or quietly introduce risk, bias, and evidence that won’t hold up.

When What You Find Online Becomes Evidence—and a Liability | Data Xposure - Ep 15

Host: Justin Tolman, Digital Forensics SME, Exterro

Guest: Jessica Stutzman, Founder & President, Pangea Research LLC

What if the information your team relies on… isn’t as reliable as it looks?

In today’s investigations, it’s never been easier to find information online. Social media, public records, data brokers—answers are everywhere. But in this episode of Data Xposure, we explore a harder question:

Can you actually trust what you find?

Justin Tolman sits down with Jessica Stutzman, an open source intelligence expert and founder of Pangea Research, who has worked across law enforcement, national security, and the private sector helping organizations turn online information into actionable insight.
Together, they unpack how companies are using publicly available data to support investigations—and where it can quietly go wrong.
Because while this kind of research can uncover critical leads, it can also introduce serious risk:

- Drawing the wrong conclusions from incomplete information
- Relying on tools you don’t fully understand
- Using evidence that won’t hold up under scrutiny

And when that happens, the consequences aren’t just technical—they’re business-critical. Cases fall apart. Decisions get challenged. Credibility is on the line.

Subscribe on Your Preferred Podcast Platform

Apple Podcasts | Spotify | YouTube

Episode Transcript

Justin Tolman (00:03.554)

Welcome to another episode of Data Xposure. I'm your host Justin Tolman for this episode. And in this episode, we talk more about data, of course, cause that's the theme of the podcast. But in this episode, we're to talk about how to use data and maybe data from unconventional sources. 

Our guest this episode is Jessica Stutzman, who is the founder and president of Pangea research LLC, an OSINT consulting research and training firm. OSINT standing for open source intelligence or information. Jessica is a certified forensic computer examiner and chair of the OSINT program and problem development program for IACIS And she has spent her career across law enforcement and the intelligence community investigation scene from collection to analysis to digital forensics and is currently a doctoral candidate in strategic intelligence at the American Military University, where her dissertation research examines human data validation when working with AI and automated tools. Jessica also serves as an OSINT expert advisor to UNOPS and sits on the AURORA advisory board at American University. 

So we have a great episode today recorded and let's go ahead and bring in Jessica and hear from the expert.

Justin Tolman (00:01.368)

Jessica, thanks for jumping on to talk to us today about open source intelligence and investigations. You are the resident pro. So I am going to start off with the basic question. What is OSINT or open source intelligence and investigations? Let's start at the absolute ground level and we'll build up from there.

Jessica Stutzman (00:27.032)

Sure. So OSINT in general, open source intelligence, it is collection, tasking, processing, analysis, exploitation, dissemination, that whole intelligence cycle of using publicly available information sources to get you to an end state of having actual intelligence. That doesn't necessarily mean that it's all free, although that is the case for many things. And it doesn't also mean that it's necessarily easy.

It means anything that you can do open source that's legally and ethically accessible without any sort of undercover activities or operations. Once you do that, then you're kind of crossing a line at that point.

Justin Tolman (01:07.758)

So you mentioned, you know, not necessarily free, but you know, it kind of bounces between it. How there seems to be this like extra level probably of vetting how you approach it. Can you walk through like, okay, I want to, I'm doing an investigation. I need to maybe look at some open source resources. How do I know what is going to be like a good resource or where do I start in that, in that process?

Jessica Stutzman (01:38.104)

So you definitely won't know off the bat unless you have a really good lead. So if you're doing a forensics investigation, obviously you're going to have access to the internet history of that person. And that'll give you some good directions to go. But if you're a law enforcement officer and you're trying to maybe solve a string of burglaries or something like that, that's a much different approach that you would need. And if you're doing a war crime investigation for an NGO, again, a very different approach.

So getting started for everybody will look different and the important piece is that anybody that wants to do us an investigation no matter where they're supporting will need to have a good grasp on the fundamentals and what that means is knowing what the whole landscape looks like and Where to start like I said every every place starts in a different area So it's really hard to say like hey, this is your starting point always if you have an email address as your first lead

then you start with a couple of different techniques or a couple of different platforms where you can look for those. You might start with things like, have I been pwned to see if that email address has been in breach data going back a number of years? If you have a phone number, you may start somewhere else just by basic Google searching, dorking with that phone number to see if it's been reported for scams or if it's been used as a company phone number for a contact or something like that.

Names also different starting points, IP addresses, all of those will start in different areas depending on where your person is originating from.

Justin Tolman (03:07.074)

So you got to have that first little nugget and that's going to point you. And I like that because a lot of advice is always like start at A. And with open source, it's a bit more fluid based on where you want to go because there's so much out there. mean, it's kind of like, I don't want to, set me straight. It's kind of like anything is now a viable source of information in a weird way, right?

Jessica Stutzman (03:35.031)

It is, it is, and that's what makes it so complicated. People that are used to, know, forensic examiners, I'll take that as an example. It can be very difficult for forensic examiners to move into OSINT because you're used to, know exactly what you do, you know how you get your image, you know that you can go down to the bit, the binary, the hex level, you can look at all of this and you know exactly what the steps are and what data should be there and where it belongs. And if it's not there, you know that something is up, right?

That is not the case in OSINT, right? You don't necessarily have a static path. Now, there's a really great author out there for any of your people that want to dig in and learn a little bit more, Michael Buzell. And he, as part of his books, he's got a bunch of downloadable files and links that you get with it. And he has some templates that kind of have like roadmaps sort of for if you're doing an email address, here are some great places to go check. But it's by no means a step by step, do this, then this, then this. 

A lot of the times you are having to collect resources and just kind of take notes and go, okay, let me circle back to this or let me look for this later. There is no easy A to B. Again, you'll just get used to workflows and you'll kind of know, hey, these are phone numbers I have to search. Let me go hit all of my phone number search platforms. Every case is different. And honestly, that's kind of what makes it fun, but it can also be stressful if you're not super adaptable and flexible. It's really hard. 

I had a girl start for me several years ago and she's like, well, where's the checklist of how I do this and then this and then this. And I was like, well, I can give you like rough ideas, but you're gonna find a lead that says on Facebook that says, hey, check out my Mastodon. And then you're gonna have to go to Mastodon. And that maybe wasn't part of the plan because you didn't know there was a Mastodon account for that person. So definitely a very, very much dynamic environment for every type of investigation that you'll have.

Justin Tolman (05:25.88)

So building off of that, coming from a forensic background where we're hammered in, you okay, you found this validated, found that validated, validated. How do you kind of bridge that gap? Because some of the stuff that you're finding, you're seeing it, but how do you get that? How do you cross that line or maybe balance the need for validation? And how would you report that and document that?

Jessica Stutzman (05:51.883)

I love that question for a number of reasons, but the first of which is that I just finished chapter seven, my final chapter of my dissertation, and my entire line of research for this is how do you validate information in open source investigations? For my case specifically, because you have to be very specific with doctoral research, for identification investigations. So if I have a phone number and I'm trying to connect it to a person, I don't know who that person is.

How do I confirm whether this is real or not? How do I know when I search in a database and this phone number comes back and it had belonged to eight people over the last 10 years? How do I know which one is correct? That's a huge challenge that we have. Or how do you confirm that this email really does belong to this guy when it's such a common name? 

Validation is something that really isn't talked about that much in open source. It is something that needs to be talked about, especially as it gets more popular, as we get more people taking OSINT data to court. Now, as far as looking at like from a forensic perspective, you can absolutely, if you're doing your screen grabs, you can hash your screen grabs. You can screen record your investigation to show that you are discovering these things as they're occurring and make sure you have that original provenance. You can grab the HTML and the source code of the pages that you're looking at to try to document that. 

But all of that comes down to really good documentation. I will shout out for Ritu Gill if you've never either heard of her or worked with with her, she is the founder, I believe, of Forensic Ocent, which is kind of like a parallel to Forensic Notes with Rob Marriott. And Forensic Ocent allows you to have a Chrome browser plug-in where it'll capture and hash and validate some of that stuff for you. So as far as the evidentiary capture, that is something that's being done and being dealt with. And she's a rock star in that area. The tool does a really great job. But as far as validating the information behind the scenes, that's where things get a little scary.

What we see is that most OSINT practitioners and most people that are teaching or even the books that talk about how you do OSINT methods, they have you rely very heavily on subjective judgments. A great example that I referenced in one of my research areas was one of the authors of these books had said, well, know, there's two people's names in the email address. So that's a good indicator that they're married or it's a couple's account and they share this account. That is a huge, huge subjective leap to make.

Jessica Stutzman (08:14.134)

Now, if you have a number of other pieces of evidence from other areas that support that, okay, maybe that's a little bit more likely. But subjective judgment is a huge factor in OSINT. And it is not something that gets addressed and not something that gets trained for people to know. That gets even riskier when you start using automated tools and systems, which are phenomenal for digging through data really fast. But then you run the risk of, how does this tool work on the back end? If it's a black box tool,

You don't know where the data came from to begin with. You don't know whether it was trustworthy data, right? If somebody just made a typo and now they've associated this person to a second social security number or something like that. So there's, there's a lot of challenges in OSINT data validation. And I will not put the spoiler alert out just yet, but I have built a framework with my research of what we see, what is governed and what happens in the field when we have good identity resolutions that are successful and ones that are not.

And we pulled all of those together to form like a best practices framework. And as soon as my dissertation is done, I'll be publishing that out for everybody.

Justin Tolman (09:21.912)

That's awesome. We'll on the lookout for that. kind of feel like the subjective aspect would be, do I like subjectiveness is probably good in the initial building of your investigation and looking for new stuff, but then you need to move into a more objective mindset when you come to the reporting and kind of deliverables section. Would that be fair in that? And my interpretation of your response.

Jessica Stutzman (09:46.967)

Yeah, no, 100%. And that's the challenge, right? You've got people, one, OSIN is a really cool intelligence discipline. I love humans, I'm a former human ter, and so you hear all this inner service rivalry between the ints, but OSIN is the one that is kind of global. It is in every industry. It's not just in the intelligence community. It's in law enforcement, it's in private sector, it's in NGOs, it hits all of these areas. And every single one of those disciplines

has different requirements, like every area. So with the IC, you have to have sourcing. ICD 206 and ICS 206-1, which is specifically for OSINT and PAI, they give you very clear requirements on what you need to put in your report for where you got something. 

But that doesn't mean that you need to capture it and archive it and hash it and have it for evidentiary purposes. Because 99 % of IC work is not something that's ever going to go to court and ever going to have to actually be judged at that level. It's really more for decision making. 

Now, if you're in the law enforcement side of that and you have all of these subjective analyses of how you got to things and how you made determinations, and then you have to go and defend that in court, that looks an awful lot like bias if you don't have the hard data to back it up, right? And if you don't have all of the material and if that material has not been captured and documented properly. So it's very, very risky, depending on what area you're in.

Now, analytical judgment exists and it is one of the greatest thing about analysts when they're doing reporting. And there's some interesting divisions between, you know, in some areas you'll have people who do the OSINT collection and there's a little bit of analysis and collection, right? You have to kind of follow the leads, interpret those, document them and put a report together. 

But there's some places where they then have a third party do analysis on that material to see if this really holds up, if the logic is sound, if the know, evidence is really there or if this feels like a number of jumps. Unfortunately, that is few and far between with where that actually occurs. And that's not always the best situation anyway, because there's context that may be missed. Now, that can be very helpful for like reporting and documentation processes, doing your writing and stuff like that. But there's just a lot of risk there. So the one of the biggest concerns I have is that subjective judgment when we go to court and when we see things like that. 

Jessica Stutzman (12:08.91)

And historically, we haven't seen–15 years ago or 20 years ago, that was when forensics started getting dragged into court very often. And that became a lot of precedential things for us. OSIN is starting to have that experience. Within the last five years, there's been very kind of peppered in cases of people who have had law enforcement search different systems and it gives them a set of data and then they take that data to court. The company won't testify to support it. They can't justify it. They can't explain where it came from.

There's no other evidence except for what that tool said. And that has let people walk on possible convictions when there's other evidence to support them. But because that initial data was either tainted or not able to be supported or verified, got thrown out. And now everything else is that fruit of that poisonous tree that was discovered after the fact. I don't even remember what your question was, but I'm not sure if I answered it. But I will go down a lot of rabbit holes, so I'm just going to pause there.

Justin Tolman (13:05.986)

Well, I was enjoying the ride, so I don't even know if it matters what question I asked. The one thing I thought of during that though was it really feels to me that the way that we write reports, if we're going to use open source intelligence needs to change because you're going to be writing like a forensic report can be this artifact said this, you know, kind of I'm over.

Jessica Stutzman (13:33.836)

Very cut and dry.

Justin Tolman (13:34.926)

But it's very cut and dry. Whereas with an OSINT report, it almost seems like you'd be writing a story, you know, a nonfiction narrative of what happened. and that could be a shift.

Jessica Stutzman (13:48.993)

Yeah, there's definitely a piece of that. something that I also encourage everybody to do is if OK, so, you know, if it's for a legal investigation, right, you have evidence and documentation that you can support with other areas, right? You can validate that this phone number was from this phone that we confiscated from this person. And this phone number was linked to register to a social media account. And that social media account, you know, sent signal pings at the same time that he posted a tweet. And we had his phone there at the same time the Twitter account was, right? 

So that tells us that he was actually in that place. And now you're like 99 % likely that he was there, right? That's always a piece of struggle that we have in forensics is can you put the person behind the device or behind the keyboard? That exists very much in OSINT as well as a challenge because again, it's their account, but how do you know they don't share their credentials or have like a social media manager when you're an influencer and stuff like that. So that's a big challenge. 

And what I always recommend is if you are not sure about something, if you cannot 100 % say with certainty, you need to have a disclaimer there that says, look, these are the pieces of evidence that support this, and these are the pieces of evidence that do not support this. Now it is up to you to make your decision there. That exculpatory material is probably one of the most critical things you can put forward. And that's in any law enforcement investigation, because one, it shows the honesty and the integrity of the investigation. OK, well, they said these were definitely correct.

These definitely were not, let's see what we can do and let's find other sources of evidence, right? OSIN is wonderful because it can give you leads across all of these other areas where you can then go follow up and get more material. If you think that the guy was standing there on the corner and you got the tweet at the same time that the signal ping happened and you were able to correlate that with both commercial telemetry data and a warrant or a subpoena request or something like that, that's really great.

But if you're not sure and you didn't get any other signal pings, maybe now you know that time it was posted and you think you know where he was. Maybe there's a camera on the street corner where he happened to be walking and you can get that and triangulate that lead from there, right? It's really, really great for lead purposes. And sometimes you get that like home run where you knock it out of the park and you get everything there. January 6th, great example, right? People live stream themselves on camera going into the Capitol and then posted it on their social media feeds.

Jessica Stutzman (16:12.266)

it doesn't get more 100 % confident case closed than that. But unfortunately, that's not always the case because a lot of our bad guys do get smart pretty quickly about this sort of thing.

Justin Tolman (16:24.334)

This really requires a lot of out of the box thinking of how to approach things. And you mentioned putting the person behind the keyboard, which is a common phrase in forensics, of course. But I think Brett Shavers kind of co-opted it with his book. And now every time someone says that, I think of his book. But yeah.

Jessica Stutzman (16:44.928)

He's doing fantastic work. There hasn't been like that much really good published research and documentation like that that's approachable in a long time. And I think he's crushing it. He's doing a great job.

Justin Tolman (16:56.832)

Love it. Love, love the book, love his stuff. And in that he talks, I don't, he's not really talking about open source intelligence, but he talks heavily about opening your mind to like, think about how you use a computer, how people use it. How do you go about your day? Because like you said, is there a camera? Do you, know, where do you stop? Where do you hop on? Have you connected to the Starbucks wifi? Like what are the types of things that people do as they go about their life?

And that kind of leads me to, it's an oversimplified question. So I'm going to use poor vocabulary, but, in the age of 2026 where digital information is running rampant, we just create so much information about ourselves and honestly others. Is open source getting easier or harder to utilize as evidence in these types of things? And my poor choice is easier because that's such a wild word, but.

What are your, what's your feel, your research in the increase of data making it easier or harder to work these types of things?

Jessica Stutzman (18:09.526)

Yeah, so it's a little bit of both, right? In some aspects, it's easier. In some aspects, it's harder. And I hate to be that person that waffles and is like, well, it's gray. There's no answer. But this is kind one of those situations. It's harder when we think about things like misdisk and malinformation and bots that are just spamming and flooding all of these sources where we would normally be able to look and to filter and to sort through things. So in that regard, it can be very difficult because the speed of deepfakes and AI-generated content and coordinated mass disinformation has definitely gotten bigger and it's made it really hard. 

On top of that, we also have platform access restrictions that are getting more and more strict and harder to get into. In many places, and this will depend on your jurisdiction and what your permissions are, most investigators can have sock puppet accounts. So your undercover account not to engage, but to observe the environment to find what you need and be able to search for what you need because you can't search on Facebook or view things on Facebook or you know in Instagram or X or a lot of these places without having accounts, right? 

Five years ago ten years ago that wasn't the case. You could see anything anywhere basically at any time and search and do a lot of great things with it. So that platform access is shrinking and getting smaller privacy concerns and constraints are making that harder to collect even regular other types of data like the commercial telemetry data of ad ID. 

If you're not familiar with that, we can do a whole nother episode on that at some point, because it's way too much of a rabbit hole. But things like GDPR and the CCPA, the California Consumer Privacy Act, those types of regulations are making it harder for the data to even exist, let alone for us to go out and find it. AI has also, of course, accelerated just the speed with which people can do bad guy things. 

And so they're trying to outpace us and they absolutely have because when you're doing OSINT in support of, know, IC or law enforcement or really any professional organization, you are limited by laws and policies that you have in place. And a lot of the time they cannot keep up with the landscape, especially when it changes this quickly. The government specifically probably conservatively three to five years, but that's being very generous. We're probably looking more at like five to 10 years behind in the policy landscape. 

I mean, OSINT has been around since 1941 when the FBMS was first stood up and we only got the first like real PAI guidance for sourcing a couple of years ago within the last two years. I can't remember if it was 24, 23 when that came out. So don't quote me on that. Now that's the hard side. The easier side, which has been really nice is that the volume of information has never been higher. 

Anything you can think of that you would have done on paper before is digitized. You can create your notes. You can network on platforms that you would never think to network on, like Zotero. It's an organization. It's a system that we use to organize citations and sources. You can share that with your colleagues and your classmates. So if somebody knows to go look at a Zotero breach, they can see all of the people you've been affiliated with because you share an organization of like, citation and nerd stuff. 

Data brokers have also just made a ton of this information really, really easy to access. Now, a lot of that sometimes there's a commercial data purchase access to that that you would have to have, but some of those are free. And you can get a couple of searches a month from certain platforms because they'll give you that little teaser of good data and then you'll hopefully pay for an account. So a lot of that has gotten really easy.

Tools have blown up and that is both easier and a harder. Like I mentioned earlier with the validation, you don't know where they're getting their data. So you don't know if it's good or bad. You have that kind of old phrase that like crap in, crap out, right? If it's a bad data source and you just don't know, you're gonna get results and you're not gonna know if they're true or not. So many people, I think I saw LinkedIn posts this morning and I can't remember who it was. So if it's somebody that's listening, you have the credit. I don't remember. 

But they had said something along the lines of like, with how easy it is to program now, every other day somebody is creating a new like Intel dashboard that's out there that anybody can use. And people are logging in and using these having no idea who they belong to, what they're doing on the backend, how much data they're collecting about you and whether they're even accurate or not. And if they're saying, Hey, we have an API to pull data from Facebook. Okay, cool. But how do know it works? And is it easier to use that tool or is it easier to just go search it yourself manually? You know, so a lot of this stuff has gotten easy and

Jessica Stutzman (22:47.266)

You know, with how easy it is for us to communicate and network and do things like this podcasts and videos and, you know, learning platforms, it is so much easier to get started and start learning and jump in and get into the field of OSINT than it's ever been before, which is super exciting.

Justin Tolman (23:03.264)

Absolutely. Have you seen, and I'm putting you on the spot here, I'm opening it up real quick, the paper released last month called Large Scale Online De-anonymization with LLMs?

Jessica Stutzman (23:20.866)

I did actually. I've read the abstract at the front and then I kind of skimmed. I use an app called Todoist. It helps me track everything. So I've actually got that article in there. Planning on doing a LinkedIn post kind of on that in the near future here. Fascinating stuff and could be very, very useful. Just like when, it the MD5 that they were able to collide with in a lab, but only in a lab and never in the real world? It's important to remember that

What happens in a lab can be very dramatically different than the real world. And I haven't dug into the methodology and the exact processes that they've used yet, but this is kind of where we're at. It is going to get easier and easier to de-anonymize people. If you think about cryptocurrency and the blockchain, Bitcoin was supposed to be anonymous, or pseudonymous at least, unless if you didn't identify yourself. But the longer the blockchain exists, the easier it is to de-anonymize people.

And I think we're going to see that same thing play out in a number of other areas of the internet where the longer something exists, the more breaches there are, the more PII that exists for other people to support and identify methods to work around those. And the easier it's going to be to have large language models that can parse through things and look for very specific nuance things and hallmarks like tone of voice and how you write. You know, if you use the same like catchphrase over and over again in your writing, it's going to be easier to parse through all of that and make connections where maybe people had never made them before. 

Super cool article. I can't wait to dig in a little bit further and actually get into the details and see exactly how they were doing it. But that one definitely caused a lot of, I don't know if it was controversy, but the first couple of comments I saw, people were really back and forth about how they felt about that and what it really means for the internet and how we're moving forward.

Justin Tolman (25:10.486)

Not we won't go into the methodology because you're right there. It's very lab oriented and they did that for ethical purposes. Everyone can out and read it.

Jessica Stutzman (25:16.81)

Right. You kind of have to in a research environment like that, which is it is both good, but it is also something that slows us down with this type of, you know, tradecraft.

Justin Tolman (25:20.365)

For those who haven't read it, the TLDR is that like Jessica said, if they have if you have a LinkedIn account that's public or semi-public like most LinkedIn accounts are they can take your posts analyze how you write things and then go to their example is like Reddit and even though on Reddit your user one two three four five. Match the semantic analysis using LLMs and identify your anonymous Reddit account based on the way that you type as well as some context clues like if you mention a beach you like going to often on the weekends they're going to assume you live somewhere close that sort of thing and match it. 

It can turn into pretty powerful stuff and the re this has been around for a long time Jessica you know for sure but for anyone listening it's been around for a while but what LLMs have done and you kind of implied this is it sped it up like that's really it we're putting gas on the fire, putting the pedal down, and LLMs allow you to do that semantic analysis across huge data sets insanely quick, whereas it would take someone forever, if ever, to do that type of open source comparison across those vast data sets. So it is going to prove kind of interesting going forward. They reference a zip code.

Research that they did where if you had the zip code and the birthdate and you could throw in gender in that as well. You could take a medical hack and compare it to voter records and narrow it down to two people based on you know, and so It's just kind of interesting to see this type of data and this type of research happening. But one thing we got to keep in mind like you said in the lab versus in reality and the locks and the different things but some stuff to keep in mind and keep an eye out for for sure.

Jessica Stutzman (27:33.879)

I think a lot of people, I think where people kind of think, hey, this is really big and scary. It's a little bit overblown because I'll say 99 % of people are just not targets for any of this type of stuff. Everybody worries, you know, and there's like the tinfoil hat crowds and stuff like that. But I could say that unless you're doing something really crazy, most people are not interested in you. 

So they could do it, but the amount of manpower that it takes or the computer power at this point and processing to do that for individual people is probably going to be reserved for like your big bad guys or some like very interesting celebrity type things like crazy stalkers and stuff like that. 

That is not going to be an issue for 99 % of people. So I don't want people to get scared when they hear that like, my God, they knew who I am. Maybe shitpost a little bit less. I'm so sorry, I shouldn't have cursed. But if you're that worried, maybe.

Justin Tolman (28:25.678)

No, yeah, no, it's really...

Jessica Stutzman (28:29.856)

Maybe don't do as many anonymous things that you probably don't want to stand behind confidently.

Justin Tolman (28:34.008)

Yeah. Yeah. And I don't want to minimize the privacy aspect of it, but I think that is actually a fantastic takeaway on one hand is that, you know, and again, I'm saying this tongue in cheek. Maybe the de-anonymization of the internet can have some slight positive effects to our discourse on the internet. Because I don't think we need to tell anybody that the anonymization factor of the internet has led to some, let's say, unruly discourses.

Jessica Stutzman (29:07.884)

It could certainly be a far more respectable place with a good anonymity or de-anonymization method. Yeah.

Justin Tolman (29:13.614)

Yeah. But again, both of us caveat privacy, all that sort of stuff. Okay. Yeah, definitely. One thing I want to gears just a touch here. But a lot of people when when OSINT is mentioned, they think, well, depending on who you are, you may think like spy level stuff or government organizations or down to police but

Jessica Stutzman (29:18.882)

Yes, very important.

Justin Tolman (29:39.934)

I think there is application in various other areas, specifically corporate situations, internal investigations, or those types of things, litigation. Have you had any experience in applying it to corporate investigations and those types of things as well?

Jessica Stutzman (29:57.175)

Yeah, yeah, so I've been lucky to be able to work in law enforcement, the IC and the private sector and kind of do a lot of things in those spaces. So non-traditional OSINT, you really just have to be creative in how you're thinking and how you're applying it. Obviously, we've got the IC, we've got the law enforcement areas. 

When you're looking at corporate, there's stuff like competitive intelligence, fraud detection and investigations, brand monitoring and reputation identification. I've consulted in the past on a few organizations that were trying to break into a new country, like with their business, and somebody had actually been using their brand in that country for a number of years already that had stolen it. And now they had a terrible reputation there. So they were having just the hardest time getting permission to move into that country. And preemptive or proactive monitoring of that and resolution that could have allowed them to solve that much faster. They did not know about any of this until they started applying to go and put some infrastructure in that country, which is just terrible. 

So those are really interesting ways you can do that. Also, pre-merger and pre-acquisition, due diligence for other company purchases and mergers. I think something people tend to forget about is things like executive protection. Your celebrities, your football players, and your influencers and things like that, their OSINT can be very, very useful for reviewing the threats that are coming in, but also the opposite side of that, reviewing what they're posting and what their footprints are to help protect them better, because a lot of people overshare or when you do put that whole picture together, you've shared more than you thought you did over a lifetime and it can be used to find you. 

As far as like NGOs and humanitarian stuff, you can use OSINT to monitor peace agreements between nations. Did they really both stop cyber attacking each other? We can take a look at that and see what some of that is.

I think there's a lot of fun stuff you can do with those too. So if you want to practice, if you want to train, but you don't have a role and you haven't been able to get in with any of the organizations that do the great volunteer work, genealogy and family research, super interesting way to approach that. You can get online and look back and find UN records from the 40s and the 50s of people migrating all around the world and help people trace back ancestors and look for historical documents. A lot of...

Jessica Stutzman (32:19.362)

Like your physical libraries do have digital genealogy areas, but they also have paper ones. And people always kind of defer to the internet as the only place for OSINT, but it is far more than just the internet. You do have all of those things like journals and trade publications, government hearings, local hearings, records and things that you can only get in person too. Sports analytics and scouting. That's another great one for social media. 

Do you want to draft the most important guy on the field? Cool. But let's see what his social media footprint looks like, because do we really want him to bring the brand down? Right. 

Unfortunately, I'm a lifelong Tampa Bay Buccaneers fan, and we've had some challenges with players who have done some dumb things and, you know, said some stupid things on the Internet. And that reputation has kind of followed them and made the Bucs not look so good. If any of you are doing online dating research into the person that you're trying to go on dates with, are they actually who they say they are?

That's not just keeping yourself safe. That is making sure that you can make a good decision and action that, and I'm either going to go on the date or I'm not, based on what I can find about that person. There's game communities, journalism, all kinds of reporting, missing person searches, pet searches, like if your pet runs away, knowing where people share some of that community information and being able to go get it, that's a really useful thing to do too.

Yeah, there are so many really cool applications to OSINT research if you just think creatively. And I'm not saying the int, right? The OSINT, the int part of the intelligence, right? But when you apply the methodologies and the techniques that we use, it really can apply to just about every field that you could imagine.

Justin Tolman (33:59.702)

And I think the end still applies, whether it's legal intelligence or just, you know, decision making intelligence, it's super important to.

Jessica Stutzman (34:06.636)

Yeah, you can definitely use that for just personal decisions. That's still actionable in my mind.

Justin Tolman (34:12.331)

Absolutely.

So one thing I want to touch on and we may have touched on it, but how do you glue? Let's, let's stick with forensics a little bit, but like I have a, I have a computer, a phone and a tablet, right? And I'm analyzing these things and I find that nugget that leads me into the open source world to look for stuff. How do I meld those back into a cohesive case that makes sense? Like what are some of the tips there for making sure that these two play together in a way that's going to help me in my case.

Jessica Stutzman (34:52.056)

So I think a lot of the reporting is going to come down to what your agency requires. And I know a lot of places have templates and very structured ways of reporting. I've seen this happen in a couple of different ways. The first is that you do your full forensic reporting. You do all of your technical stuff, all of that documentation. And then you have an area for you to actually describe and talk about the investigation. 

Before you do that, I would maybe add another section in there for all of the OSINT work and say, hey, as referenced on this page, we found this many emails from five different people that we don't know who they are. And we pursued identifying these emails with these specific techniques. And then you detail your investigation. You have all of your screenshots, your hashing, and all of that kind of stuff embedded. And then you can kind of do your final narrative where you put it together. Of course, the other side of that is you can weave it in. 

But if you're in a court or dealing with a system that may be doesn't have as much confidence in the OSINT stuff, you may want to not weave that in because that's honestly probably a lot of rewriting. I think every case also will probably, again, every forensic case is a little bit different anyway, but every case is gonna be a little bit different with how they weave together. And you may wanna just have an attack, maybe you don't get anywhere with those emails, right? Maybe you find out that they're in groups together and they do all this stuff and they're active on these platforms.

But that doesn't help you with the specific case you were working to begin with, right? Maybe those are leads for another case. So maybe that is like an annex or something that you can attach to that. hey, this is what we found. He's clearly active in these chat rooms doing XYZ bad guy things. And here's some other people that he's involved with, or at least email handles and usernames that he's involved with. we can follow up on these in other investigations maybe. 

In any case, if you're doing that, you want to get that uploaded into some sort of system of records so you can search for those and when other things come up. And that's another really huge piece in OSINT too is it might not be there today, but that doesn't mean it won't be there in six months. So if you have a case that's still open or you haven't closed, go back and check every once in a while. Not that our law enforcement officers, nobody has the time to do that kind of stuff, right? But if it is like a high profile thing, check again in like six months or so and see what more information you get.

 

Jessica Stutzman (37:12.266)

With OSINT reporting, again, it's really important to explain where you started, how you got there, what that process is work, like what the processes were and how you jumped across. Because the most important thing with legal defensibility is making sure that what you are putting out can be traced and documented and potentially reproduced by somebody if they need to. Now, everybody knows that the Internet is not static. But again, if you at least have the documentation that it was there that day, that's very, very helpful to have. And that doesn't mean that it will get thrown out just because somebody can't do it tomorrow.

I felt like I'm bouncing all over again.

Justin Tolman (37:46.892)

No, that was right on. I want to ask you, so I'm in my case and I go through those kind of thought processes that you're talking about. Would a safe piece of advice be, okay, I'm in my case and I want to go search some open source, whether it's the Google plugin you talked about or screen recorder, either way, it almost seems like start recording then even if you don't find anything, just delete the footage or not, but either way, just get that early because what you don't want to do, and this is a thought that keeps popping to my head as you talk about these things is I don't want to find something and then realize, I need to start screen recording now. 

Like, well, just if you're gonna go online and start working for that stuff, start recording, record all your stuff. And if you don't find anything, you can cross that bridge. But if you do, at least then you have your full chain. Would that be a safe recommendation or is there any negative side of that to that?

Jessica Stutzman (38:45.73)

I mean, the only negative side to that is it depends on how deep you go in that rabbit hole, how long that footage is, and that may slow your system down. But no, I think that's a really great approach, especially if you're using other ways. Like Hunchly is another great product to help screen record or screen grab and hash things for evidence. I think you touched on something really interesting there, though. You said, if I'm doing something and I want to go follow an OSINT rabbit hole, and then if it's not relevant or I don't find what I'm looking for, I'm going to go delete it. I would probably not do that, because if you're partway through an investigation, you don't know what's relevant just yet. 

So what I would probably do, and I'm somebody that I like time blocking, so I like to do batch things together. So if I'm doing a forensic case, I'm going to get all of that done first, and I'm going to note take all of the leads that I have for OSINT to follow up on after the fact. That's going to allow me to be fully aware of everything that happened in that device that I'm examining and all of the stuff that supports that. 

And then now I've got Excel sheets to organize all my leads. So I'll have the name, the alias, social, phone numbers, email addresses, addresses, all of those kind of PII identifiers that we would use to search. I keep them separately. And then when I finish all of this, I go, OK, cool. I have this big picture. I've got some questions. I've got some gaps. Now let me do OSINT research with all of these things. And maybe that'll fill some of those gaps in. And maybe it'll start to make sense and be more cohesive. 

That's just my approach, because that's just how my brain works. I like to get that one big thing done at a time and then follow that lead. A lot of people will do that back and forth. But if you're doing that again, I would not delete or get rid of anything or think that something is not relevant until you finish the entire case, all of your OSINT research and all of your forensic exams just to make sure that there's not something that correlates because I've definitely had it before where I'm like, OK, this isn't relevant. 

Or I saw some person that we were we were looking for some, I can't even remember what the case was, we were looking for some kind of a suspect. And I saw a guy and I'm like, oh, well it says it's this, you know, it's tied to this kid, but he's like 17, he doesn't look like a criminal, it's whatever. I'm like, this can't be the guy. Two days later, that was in fact the kid running this like ring of things. And one, that was a bias issue for me, cognitive bias, thinking like, oh, young upstanding citizen, teenager, definitely not old or qualified enough to do this kind of bad guy activity.

Jessica Stutzman (41:05.708)

So that was a very early career cognitive bias check. And that's part of why I'm so supportive of analytic skills and things that you have to do as an investigator. But also, I didn't know that that was relevant two days prior. And if I had, or if I deleted that, it would never have taken me back to really confirm that he was the guy. So definitely hang on everything until the end. yeah, mean, really reporting, structuring, investigating, it's kind of whatever works best for you.

And like your attention span too, because I know some people, you get into, you listen, you start going down rabbit holes, all of a sudden it's like nine hours later and it's dark out and you haven't eaten two meals and nobody knows where you are. So, you know, it's really kind of a personal thing.

Justin Tolman (41:48.854)

That bit of a tangent, that's my mom. loves doing non-lead, just like somebody will say, who is this person? And then all of a sudden, three hours later, she's like, I found them. And she's been on social media all day searching and yeah. Apply that to an investigator. And yeah, you're talking days now and they forgot what, you know, now they forgot what day it was. So.

Jessica Stutzman (42:05.472)

Amazing. That's fantastic. Listen, it works.

Justin Tolman (42:17.454)

Okay, so we have covered a lot of stuff and we I have to get you back on for like we should just promote a series once your Doctrine is done because I that sounds really interesting and you've touched on a lot of things that now I've got to go research and I'll forget what date is but if you had to close up here at the end with kind of a suggestion or how to get started or what to look for as a conclusion, what would that be?

Jessica Stutzman (42:48.238)

If you're interested in getting started in OSINT, there's kind of two things that I always recommend. One is train and learn whatever you can, wherever you're interested. Not every area of OSINT is the same. And there are people that are maritime OSINT experts, like Ray Baker, she wrote the book Deep Dive, cannot recommend that enough. That's her specialty. She did cover a lot more than that, obviously, in the book, but that is what she's known for. 

There's cryptocurrency, there's the dark web and if you've never done the dark web, just learn first before you touch it just to protect yourself. But it's really not that big and dark and scary. I think it's kind of overblown. But there's cryptocurrency, there's social media, there's all these different areas of interest for people. There's aviation tracking. I mean, some of the stuff I see in flight spotter groups are mind blowing with how much knowledge these civilian non-aviation personnel have. So figure out what it is that you like.

And follow and learn that first. And then you'll continue to learn more as you branch out from there. When we're talking about education and just fundamental knowledge, know how to get it on your own first before you start relying on all of the tools. Again, that is how you know whether the tools are working or not. If you don't know where data comes from and how it comes into existence and how you would find it on your own, you don't know how to double check that the tool is correct if it gives you an answer or if it doesn't give you an answer.

And you don't know how to validate and verify that for it to hold up wherever you're looking, right? And so that's kind of the first piece. And then while we're talking about training, there are some certifications out there and they're good, but I would not hang your hat on having to have a certification if you want to get into the field. 99 % of organizations are not requiring a certificate or a certification of any sort to start a job. 

Now, if you're looking at things like the DOD, they're going to look for like, OBC their OSINT basic course or like OS 301 302. Those are kind of your limitations like where that's like the one time you can't waive that but private sector all of the other industries they want to see that you can do the job. They don't necessarily care about certifications. So if you're looking at a SANS certificate and it's there's phenomenal training. I cannot speak highly enough about them, but it's very expensive. Do not let the financial aspect be a hurdle to learning because

Jessica Stutzman (45:10.21)

There are so many places where you can get really great free education that doesn't cost you $9000 or $10,000. And again, that's not discounting. They're so valuable. They're really, really good at what they do. But they're just out of affordability for a lot of people. So don't let the budget hold you back. Don't let the, I didn't get a certificate. Hold me back. Do what you need to do. Get into the free communities. LinkedIn's great. Discord is great. Reddit even has some decent, interesting OSINT chats there sometimes.

And make friends and network because the networking you can do is the best thing. Everyone, like I said, is going to have their own specialties and their own batches of knowledge. And you never know when those are going to be relevant or come up. If I have an art case, there's a guy that I call because he used to work on the art scene in New York. And that is my go-to art guy. And you never think, I need an art guy. You never think, I need a bomb guy. But when there's a pile of wires in a photo, you're like, let me send this to the bomb guy just to make sure that I know what I'm looking at and that it's not a bomb.

So I think those are probably, don't know if that really sums anything up, but you don't have to have money to get into OSINT. You just have to have passion and be curious and want to learn. And that learning really never stops.

Justin Tolman (46:19.534)

Yeah, that's the important thing for forensics or any investigative work. Be curious and continue learning because technology as well. Oh, and not to talk about AI in every single thing, but it's only accelerating it because it's just, oh, I want to create this thing or change this thing and AI will just do it for you. mean, let's be honest.

Jessica Stutzman (46:29.985)

It changes every day. It will. It may do it correctly, may do it incorrectly, and it may do it with gaps and holes, but it'll do it.

Justin Tolman (46:50.316)

Yeah, exactly. Jessica, thank you so much. And I do want to get you on after you finish your dissertation, because that sounds super awesome. And let's talk about it, especially the framework you're developing. But I want to thank you again for jumping on and talking with us. It's always appreciated. I love your work.

Jessica Stutzman (47:10.892)

Yeah, absolutely. It's been a pleasure. Thanks so much for having me on.

Justin Tolman (47:15.214)

All right, thank you.

Redefining how your business manages data risk.
Get Started
Mitigating enterprise data risk.
ResourcesBlogPodcastCase StudiesWhitepapers
ProductseDiscoveryDigital ForensicsData GovernancePlatform & Intelligence
IndustriesFinancial Services & InsuranceHealthcare & Life SciencesEnergy & UtilitiesGovernment & Public Sector
CompanyNews & PressCareersTrust CenterContact Us
© 2026 Exterro. All rights reserved
Trust CenterModern Slavery StatementPrivacy PolicyWebsite Terms of Use
Do Not Sell or Share My Personal Information