Tom's OSINT Workbench
Desktop investigation workbench for Windows. Build structured intelligence profiles on people, companies, and domains — entirely offline, entirely private.
Quick Start
This five-step walkthrough gets you from first launch to a working case with entities, relationships, and a connection graph. The full reference for each feature follows in later sections.
Download and run. There is no installer. Extract the zip, place TomOSINTWorkbench.exe and osint-resources.json in the same folder, and double-click the exe. The app runs as a single portable executable with no dependencies.
Create a case. Press Ctrl+N or click File → New Case. Give your case a name and optional description. Choose where to save the .case file — all investigation data lives inside this single SQLite file.
Paste a URL. Press Ctrl+U or click the Paste URL toolbar button. Enter a website URL (for example, a company domain or a GitHub profile) and click Extract. The app will query public APIs and parse the page to build a structured profile automatically.
Explore the results. After extraction, the sidebar tree shows the new entities. Click one to view its properties in the Profile tab. Switch to the Connections tab to see a visual graph of how entities relate to each other. Drag nodes, zoom with the mouse wheel, and double-click to navigate.
Take a snapshot. Press Ctrl+S to capture the current state of the selected entity. You can come back later, re-extract, and compare snapshots to see what changed over time.
You can paste up to 10 URLs at once (one per line) in the extraction dialog. The app processes them sequentially with a review step between each.
Application Layout
The app uses a three-panel layout with draggable splitters. Every panel can be resized by dragging the borders between them.
Left sidebar shows the case tree — your open case at the top, with all entities listed below, grouped by type. Click any entity to select it. Double-click a domain or social profile URL in the sidebar to open it in your browser.
Centre panel is the main working area with nine tabbed views: Dashboard, Profile, Connections, Relationships, Timeline, Social, Domains, Notes & Evidence, and OSINT Directory. Switch between them using the tab bar at the top, the View menu, or the keyboard shortcuts.
Right panel (the detail panel) shows properties and relationships for whichever entity is currently selected. This gives you a persistent reference while working in any tab. You can toggle the detail panel on or off via View → Toggle Detail Panel.
The toolbar across the top provides quick access to case management, adding entities, pasting URLs, taking snapshots, toggling the theme, and opening settings. The status bar at the bottom shows the current case name, entity and relationship counts, and the active mode.
Managing Cases
A case is a self-contained investigation file. All entities, properties, relationships, notes, attachments, snapshots, and graph positions are stored in a single .case file (a SQLite database). You can copy, back up, or share this file like any other document.
Creating a case
Press Ctrl+N or go to File → New Case. Enter a case name and optional description, then choose a save location. The case opens immediately after creation.
Opening and closing
Press Ctrl+O to open an existing .case file. Ctrl+W closes the current case. If you enable Reopen last case on startup in Settings, the app will automatically load your most recent case when you launch it.
There is no separate “save” action. All changes are written to the case file immediately. To create a backup, close the case and copy the .case file.
Entities
Entities are the building blocks of an investigation. Each entity represents a real-world subject — a person, a company, a domain name, an email address, and so on. The app supports eleven entity types:
Person
An individual. Names, aliases, biographical details.
Company
A business, organisation, or legal entity.
Domain
A website domain name with WHOIS, DNS, and tech data.
Social Profile
A presence on a social platform (GitHub, Reddit, X, etc.).
An email address discovered during investigation.
Phone
A phone number associated with an entity.
Address
A physical or mailing address.
Username
An online handle or alias used across platforms.
IP Address
An IP tied to infrastructure, hosting, or activity.
Document
A file, report, certificate, or reference document.
Custom
Anything that doesn’t fit the above categories.
Adding entities manually
Press Ctrl+E or click Edit → Add Entity. Choose the entity type, enter a display name, set a priority level (critical, high, normal, or low), and optionally add notes. Entities also get created automatically when you use Paste & Extract.
Deleting entities
Select an entity in the sidebar or any list, then press Del or use Edit → Delete Selected. If you have confirmation dialogs enabled in Settings, you will be asked to confirm before deletion. Deleting an entity also removes its properties, relationships, and timeline events.
Paste & Extract
This is the primary data collection feature. Paste one or more URLs (one per line, up to 10) and the app will automatically extract structured intelligence from each one.
What gets extracted
The extraction engine runs different parsers depending on the URL type. For domain URLs, it queries five public APIs: RDAP for registration data, Google DNS for DNS records, ip-api.com for IP geolocation, Shodan InternetDB for open ports and known vulnerabilities, and crt.sh for subdomain discovery via certificate transparency logs. It also analyses HTTP headers, identifies the tech stack, reads meta tags, checks for sitemap.xml, and extracts JSON-LD structured data.
For GitHub URLs, it pulls the user’s profile data, bio, company, location, follower counts, and top repositories via the GitHub API. For Reddit URLs, it retrieves display name, karma, account age, and verification status. For social URLs on other platforms (X, LinkedIn, Instagram, YouTube, Facebook, TikTok), it creates a social profile entity with the detected platform and profile URL.
Extraction throttle
Each extraction makes multiple API calls. To avoid rate limiting, a configurable delay is inserted between requests. The default is 500ms. You can adjust this from 0ms (no delay) to 2000ms in Tools → Settings. If you are running multiple extractions in quick succession, a higher delay reduces the chance of being temporarily blocked by public APIs.
After extraction finishes, review the results in the Profile and Domains tabs. The extracted data is stored as properties on each entity — you can edit, add, or remove any of them.
Profile Tab
The Profile tab shows a structured view of all properties and relationships for the selected entity. Each property has a key (like “email” or “registrar”), a value, a source (where the data came from), and a confidence level.
Inline editing
Double-click any property value in the Profile tab to edit it in place. Press Enter to save or Escape to cancel. When you edit a value, the source and confidence metadata are preserved — only the value itself changes.
Adding properties
Click the Add Property button to add a new key-value pair. You can choose the source (manual, extracted, external) and confidence (confirmed, probable, unverified) when adding.
Confidence levels
Every property and relationship carries a confidence rating. Confirmed means verified data. Probable means likely correct but not fully verified. Unverified means raw or uncertain data. Confidence badges appear throughout the app with colour coding for visual clarity.
Connection Graph
The Connections tab renders an interactive graph showing how entities relate to each other. Nodes are coloured by entity type, and edges are styled by confidence level — solid lines for confirmed, dashed for probable, dotted for unverified.
Two layout modes
Force-directed (default) arranges nodes based on simulated physical forces — connected entities attract each other and unconnected entities repel. This works well for exploring organic networks where you want to see clusters form naturally.
Hierarchical arranges nodes in depth layers from a root node downward, similar to an organisation chart. This works well for ownership structures, reporting chains, or any relationship set with a clear hierarchy. Switch between modes using the layout dropdown above the graph.
Interacting with the graph
Drag a node to reposition it — the new position is saved to the case file automatically. Scroll to zoom in and out. Click a node to select it and view its details in the right panel. Double-click a node to navigate to it (selects it in the sidebar and switches to the Profile tab). Right-click a node or edge to see context menu options.
The graph has a minimap in the corner showing your current viewport, a legend panel showing entity type colours, and Fit to View controls to frame all nodes in the window. You can also pop the graph out into a separate floating window via View → Pop Out Graph.
Node positions are saved per case. When you reopen a case, the graph remembers exactly where you left each node.
Relationships
Relationships connect two entities with a typed link. For example, “John Smith works at Acme Corp” or “example.com registered to Jane Doe”. Each relationship has a type, a source entity, a target entity, and a confidence level.
Adding relationships
Press Ctrl+R or go to Edit → Add Relationship. Select the source and target entities, choose a relationship type (owns, works at, has profile, registered to, associated with, etc.), and set the confidence. Relationships are also created automatically during extraction.
The Relationships tab
This tab shows a sortable table of every relationship in the case. Click any column header to sort. Right-click a row to change its confidence, navigate to the source or target entity, or delete it. Double-click to navigate to the source entity’s profile.
Timeline
The Timeline tab shows a chronological record of all activity in the case — entity creation, extractions, snapshots, notes, and relationship changes. Events are sortable by column and filterable by type using the sidebar categories.
Date filtering
Click the Filter button to set a date range. The From date is set to the start of day (midnight) and the To date to the end of day (23:59:59). Only events within the range are shown. Click Clear to remove the filter and show all events again.
Snapshots & Diffing
Snapshots capture the complete state of an entity at a point in time — all properties and relationships, stored as a JSON blob in the case database. Use them to track changes over the course of an investigation.
Taking snapshots
Press Ctrl+S to snapshot the currently selected entity. Press Ctrl+Shift+S to snapshot every entity in the case at once. Snapshots appear in the Timeline tab and in the Snapshot History dialog.
Comparing snapshots
Open Tools → Snapshot History (Ctrl+D). Check two snapshots in the list and click Compare. The diff view shows additions (green), removals (red), and changes (amber) across properties and relationships. Select a single snapshot and click View to see its full contents.
Take a snapshot before and after each extraction run. This gives you a clear audit trail of what changed and when — essential for investigation documentation.
Domain Intelligence
The Domains tab shows rich, owner-drawn intelligence cards for domain entities. When you extract a domain URL, the app collects data from five different sources and presents it in a structured card layout.
Data sources
RDAP/WHOIS shows registration data: registrar, creation date, expiry, name servers, and available contact information. DNS shows A, AAAA, MX, NS, and TXT records resolved via Google DNS. IP geolocation (via ip-api.com) shows the server’s country, city, ISP, and ASN. Shodan InternetDB shows open ports, known vulnerabilities (CVEs), and tags for the IP address. crt.sh discovers subdomains through certificate transparency logs.
On-demand enrichment
Click the Enrich Domain button to refresh all five APIs for the selected domain entity. This is useful when you want to check for changes since the initial extraction or when you added a domain entity manually.
Notes & Evidence
The Notes tab lets you create and manage investigation notes with titles, free-text content, tags, and file attachments. Notes can be linked to a specific entity or created as case-level notes (not tied to any entity).
Tags
Add tags to organise your notes. Tags appear as coloured pills in the note list and can be searched from the advanced search dialog. Common patterns include tagging notes by investigation phase (initial, deep-dive, conclusion), by source type (interview, document, public record), or by priority.
File attachments
Click Attach File to attach screenshots, documents, PDFs, or any other file as evidence. Attachments are copied into an attachments folder alongside your case file. Right-click an attachment to open it, open its containing folder, or delete it.
OSINT Directory
The OSINT Directory tab provides a searchable, categorised directory of 94 curated investigation tools and websites across 16 categories. Each resource shows its name, URL, category, and description.
Click a resource and press Open to launch it in your default browser, or Copy URL to copy the link to your clipboard. The directory is loaded from osint-resources.json next to the executable.
Adding your own resources
Click + Add to add a custom resource. Enter the name, URL, category, and description. Your additions are saved back to the JSON file and appear alongside the built-in resources. You can also right-click any resource to edit or delete it.
Advanced Search
Press Ctrl+F to open the advanced search dialog. This searches across all entities (names and types), properties (keys and values), notes (titles, content, and tags), and relationships (types, source and target names). Results update in real time as you type.
Double-click any search result to navigate directly to the relevant entity and the appropriate tab. Entity results go to the Profile tab. Note results go to the Notes tab. Relationship results go to the Relationships tab.
Reports & Export
HTML case report
Go to File → Export Report (Ctrl+Shift+E) to generate a self-contained HTML report. The report includes a cover page with case stats, an executive summary, key findings, the connection graph as a PNG, entity and relationship tables, domain intelligence cards, social profiles, a filtered timeline, notes, and an appendix. It also includes a pre-written AI analysis prompt you can copy and paste into Claude, GPT, or Grok for further analysis.
The report uses a dark theme by default and automatically switches to light for printing or PDF export. All sections are collapsible with a floating side navigation. No CDN dependencies — the report works fully offline.
Entity report
File → Export Entity Report generates a focused report on a single entity, including all its properties, relationships, and related data.
CSV and JSON export
File → Export Entities (CSV) and Export Entities (JSON) export structured data for use in other tools or databases. Export Timeline (CSV) exports the full timeline event log.
Settings
Open Tools → Settings to configure the app. Available options:
Row colour scheme — Choose from eight colour presets (Default, Steel, Midnight, Ocean, Forest, Slate, Ember, Plum) that control the alternating row colours in all list views.
Default entity priority — Sets the default priority for new entities (critical, high, normal, or low).
API request delay — Controls the extraction throttle, from 0ms to 2000ms between API calls.
Confirm before deleting entities — When enabled, a confirmation dialog appears before any entity deletion.
Reopen last case on startup — Automatically loads your most recent case when the app launches.
Debug mode — Writes a detailed debug.log file next to the executable for troubleshooting.
Settings are stored in TomOSINTWorkbench.ini next to the executable. Window position, size, and panel widths are remembered automatically across sessions.
Keyboard Shortcuts
| Shortcut | Action |
|---|---|
| Ctrl+N | New Case |
| Ctrl+O | Open Case |
| Ctrl+W | Close Case |
| Ctrl+Shift+E | Export Report |
| Ctrl+Q | Exit |
| Ctrl+E | Add Entity |
| Ctrl+R | Add Relationship |
| Del | Delete Selected |
| Ctrl+F | Search |
| Ctrl+U | Paste & Extract |
| Ctrl+S | Take Snapshot |
| Ctrl+Shift+S | Snapshot All Entities |
| Ctrl+D | Snapshot History |
| Ctrl+T | Toggle Theme |
| F1 | About |
Troubleshooting
The app looks wrong or controls are misaligned
Delete TomOSINTWorkbench.ini next to the executable and restart. This resets all settings, window positions, and panel sizes to defaults. This is especially helpful when upgrading from an earlier build.
API extraction returns partial or no data
Some public APIs have rate limits. GitHub allows 60 requests per hour per IP without authentication. The ip-api.com free tier allows 45 requests per minute. crt.sh is a free service that occasionally returns 502 errors or times out. If extraction seems incomplete, wait a few minutes and try the Enrich Domain button to retry.
crt.sh times out frequently
The app uses an 8-second timeout for crt.sh. This service runs on donated infrastructure and can be slow or unreliable. If subdomain discovery is important, try again later or use the extracted certificate data you already have.
Debug logging
Enable debug mode in Tools → Settings to write detailed logs to debug.log. This records API calls, database operations, extraction steps, and error details. Useful for reporting issues or understanding unexpected behaviour.
The ip-api.com free tier uses HTTP, not HTTPS. API requests to this service for IP geolocation are unencrypted. This is a limitation of the free tier. No sensitive investigation data is sent — only the target IP address.
Known limitations
The JSON-LD parser uses minimal string matching. Deeply nested structured data on complex pages may not be fully extracted. The app is single-threaded; during extraction, the UI may feel less responsive while API calls are in progress. These are accepted trade-offs for zero-dependency portable architecture.
Social Profiles
The Social tab shows a purpose-built view for social profile entities. Select a social profile to see its platform badge (coloured to match the platform), username, clickable profile URL, and all associated properties.
Select a person or company entity instead, and the Social tab will show all linked social profiles grouped by platform. This gives you a single-screen view of someone’s online presence across GitHub, Reddit, X, LinkedIn, and other platforms.
Manual input
Click Add Info on the Social tab to manually add properties like bio, follower count, following count, or post count. This is useful for platforms that don’t have automated extraction yet.