Key Takeaway
Open source intelligence investigation software collects and organises publicly available data — domain records, IP data, social profiles, and more — into a structured case for analysis. Tom's OSINT Workbench is a free portable Windows desktop tool that does this offline with no account required, covering seven public data sources and storing all case data locally in SQLite.

Last updated: May 2026

Open Source Intelligence Investigation Software: What It Is and How to Use It

Open source intelligence — OSINT — is the practice of collecting and analysing information from publicly available sources to build actionable understanding of a person, organisation, domain, infrastructure, or event. The term "open source" here has nothing to do with open source software. It refers to the fact that the intelligence is derived from open, publicly accessible sources rather than from covert collection, intercepted communications, or classified databases.

OSINT is used by law enforcement agencies, cybersecurity teams, journalists, private investigators, corporate due diligence professionals, fraud analysts, and researchers. It is one of the most accessible forms of intelligence work because the underlying data is public — but gathering it systematically, organising it effectively, and drawing defensible conclusions from it requires the right tools and a structured methodology.

This guide explains what open source intelligence investigation software does, what it should include, and how Tom's OSINT Workbench delivers a capable, free, offline investigation workflow for Windows users.

What Is Open Source Intelligence

Open source intelligence draws on a wide range of publicly available data sources. Domain registration records (WHOIS and RDAP) reveal who registered a website, when, and through which registrar. DNS records expose the technical infrastructure behind a domain — its mail servers, name servers, and associated IP addresses. SSL certificate transparency logs show every certificate ever issued for a domain, often revealing subdomains and historical hosting patterns. IP geolocation data identifies the country, city, ISP, and organisation associated with any internet-facing address. Social media profiles, public posts, and account metadata are all open source. So are public GitHub repositories, Reddit accounts, company registration records, and a vast range of other digital footprints.

The challenge is not accessing this data — most of it is available through free APIs or public web interfaces. The challenge is collecting it systematically, linking disparate data points to one another, and maintaining an organised record of what you found, when you found it, and what it means in the context of your investigation. That is what open source intelligence investigation software is designed to do.

What OSINT Investigation Software Should Include

Not all tools that claim to be OSINT platforms are equally useful for real investigative work. The features that actually matter in practice are case management, multi-source data collection, entity linking, visual analysis, and exportable results.

Case management means the ability to create discrete, contained investigations. Each case should store its own entities, relationships, notes, and findings separately from other cases. Without this, investigations bleed into one another and findings become difficult to attribute correctly. A good case management system also maintains an activity log — a record of what data was collected, when it was collected, and what actions were taken during the investigation.

Multi-source data collection means querying multiple public data sources from within a single tool rather than switching between browser tabs, copying data manually, and losing track of where each piece of information came from. The most valuable public OSINT sources cover domain registration, DNS, IP intelligence, SSL certificate history, internet-facing device data, and social platform data. A tool that integrates these sources and stores results against specific entities dramatically accelerates the investigation workflow.

Entity linking is what separates investigation software from a search tool. A search tool returns data. An investigation tool helps you understand how data points relate to one another. When a domain lookup reveals an email address, and that email address appears in a Reddit profile, and that Reddit profile links to a GitHub account, those connections are the intelligence. Software that makes those connections explicit — and lets you map them visually — is where real investigative value is created.

Visual analysis matters because human cognition handles spatial and relational information far better than lists. A node graph that shows entities as points and relationships as lines makes the structure of an investigation immediately comprehensible in a way that a data table never can. For complex investigations with dozens of interconnected entities, a graph view is not a nice-to-have — it is essential.

Exportable results matter for professional investigators who need to share findings with clients, managers, legal teams, or colleagues. An investigation that lives only inside a proprietary tool that requires a licence to open is a liability, not an asset.

Tom's OSINT Workbench profile tab — entity data collected from public sources

Tom's OSINT Workbench as Investigation Software

Tom's OSINT Workbench is a free portable Windows desktop application built around the investigative workflow described above. It covers case management, multi-source data collection, entity linking, visual graph analysis, and timeline tracking in a single offline tool with no subscription, no account, and no cloud dependency.

Every investigation in OSINT Workbench starts with a case. Cases are stored as individual SQLite databases on your local machine, completely isolated from one another. Within a case, you add entities — domains, IP addresses, usernames, email addresses, social profiles, people, organisations, and custom notes. The tool tracks every action taken against each entity, building an audit trail of the investigation as you work.

Collecting Intelligence from Public Sources

OSINT Workbench integrates seven public data sources that cover the most common OSINT collection requirements. RDAP provides structured domain registration data including registrant details, registration dates, and registrar information. DNS lookups surface A, MX, NS, TXT, and CNAME records for any domain. ip-api returns geolocation, ISP, ASN, and organisation data for any IP address. Shodan queries the internet-scanning database for open ports, services, and device information associated with an IP address. crt.sh queries the certificate transparency log to reveal every SSL certificate ever issued for a domain, including historical subdomains. GitHub returns public repository and user data for any username. Reddit returns public post history and account data.

Each of these can be queried directly from within a case, with results automatically associated with the relevant entity and logged in the case activity feed. This means you never lose track of where data came from or when it was collected.

Domain and Infrastructure Investigation

Domain investigation is one of the most common OSINT workflows — whether you are researching a suspicious website, mapping the infrastructure behind a threat actor, tracking a brand impersonation campaign, or conducting due diligence on a business. OSINT Workbench provides dedicated domain support including RDAP lookups, DNS record collection, and certificate transparency queries.

Tom's OSINT Workbench domains tab — domain investigation and DNS lookup results

The domains tab organises all domain-related entities and their associated data within a case. When investigating a network of related domains — a common pattern in fraud, phishing, and impersonation campaigns — the ability to add multiple domains to a single case, query each one, and link them through shared infrastructure like IP addresses, registrant emails, or name servers is essential. OSINT Workbench handles this workflow natively without requiring you to copy data between multiple browser tabs or external spreadsheets.

Social Media Intelligence

Social media is one of the richest open source intelligence sources available. Public profiles, post histories, follower networks, and metadata can reveal an enormous amount about an individual or organisation — their locations, associates, activities, interests, and online behaviour patterns. Social media intelligence, often abbreviated as SOCMINT, is a core component of most modern OSINT investigations.

Tom's OSINT Workbench social tab — social media profile and account intelligence

OSINT Workbench's social tab organises social profile entities within a case. It integrates with Reddit's public API to collect account data and post history, and with the broader entity model to link social profiles to domains, email addresses, usernames, and other entities discovered during the investigation. When a Reddit username matches a GitHub username which links to a domain registered with a specific email address, those connections are the intelligence — and OSINT Workbench's entity model makes them explicit and navigable.

Who Uses Open Source Intelligence Investigation Software

The audience for OSINT investigation software is broad, but certain use cases are particularly well served by a free, offline, Windows-native tool like OSINT Workbench.

Cybersecurity analysts use OSINT routinely for threat intelligence, incident response, and attack surface mapping. When investigating a phishing domain or a suspicious IP address, the ability to quickly pull RDAP, DNS, Shodan, and certificate data into a structured case — without sending queries through a commercial platform's servers — is both faster and more operationally secure.

Private investigators need tools that leave no cloud footprint and produce documented, reproducible results. OSINT Workbench's local-first architecture means case data never leaves the investigator's machine, and the activity log provides an auditable record of every data point collected and when.

Journalists investigating organisations, individuals, or networks use OSINT to map relationships, verify identities, and build evidentiary foundations for stories. The entity linking and graph features in OSINT Workbench are well suited to the pattern-recognition work that investigative journalism requires.

Fraud analysts and due diligence professionals use domain, corporate, and social data to verify the legitimacy of counterparties, identify related entities, and surface red flags before they become expensive problems. OSINT Workbench's multi-source collection and case export capabilities fit naturally into a due diligence workflow.

Individuals conducting privacy audits of their own digital footprint — checking what data is publicly visible about them across domains, social platforms, and public records — can use OSINT Workbench to run a structured self-investigation rather than a disorganised series of Google searches.

Is OSINT Legal

Open source intelligence collection from public sources is legal in most jurisdictions. The data sources OSINT Workbench integrates — RDAP, DNS, public IP data, certificate transparency logs, public social media APIs, and public GitHub data — are all explicitly public. They are designed to be queried and are governed by their respective platform terms of service rather than privacy law restrictions on public data.

That said, what you do with collected intelligence is subject to applicable law. Using OSINT data to harass, stalk, or harm individuals is illegal regardless of how the underlying data was collected. Investigators operating in professional contexts — law enforcement, licensed private investigation, journalism — should always ensure their collection and use of OSINT data complies with applicable professional standards and legal frameworks in their jurisdiction.

Note
OSINT Workbench queries only public APIs and public data sources. It does not access private data, breach data, or any source that requires unauthorised access. All data collected through the tool is from sources designed for public query.

Getting Started with OSINT Workbench

OSINT Workbench is a single portable EXE file. Download it from tomdahne.com, run it on any Windows machine, and create your first case. No installation required, no admin rights needed, no account to create. Add your first entity, run your first lookup, and the tool immediately begins building a structured picture of your investigation.

The full user guide at tomdahne.com covers the complete workflow including case creation, entity management, API configuration, graph navigation, and advanced investigation techniques.

Tip
Start every investigation by adding your primary entity first — the domain, person, or organisation you are investigating — then let the data you collect lead you to secondary entities. This keeps your case structure clean and your investigation logic traceable.

Final Thoughts

Open source intelligence investigation software closes the gap between raw public data and actionable intelligence. The data is public. The challenge is collecting it systematically, linking it meaningfully, and maintaining a documented record of your findings. Tom's OSINT Workbench does this in a free, offline, portable Windows application with no strings attached.

Download OSINT Workbench Free →

If you need to audit a website's technical health as part of your investigation workflow, Tom's Site Auditor provides a full offline crawl and SEO audit for any domain — free trial available.