[HOUSEHOLD / FAMILY NAME] - Collection Map

OSINT-044 Family & Household Digital Exposure Assessment - collection workspace. Central topic = the household constellation (principal’s family, resident relatives, domestic staff). Branches = data-point categories for household-wide digital exposure and cross-contamination. Drop each collected value as a child node; expand it with where it was found and which member it concerns. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-044.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + essential elements of information (EEI) as checkboxes. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Findings, §17 Collection Gaps.

PIR-1 - Physical approach via household routine: which members expose home address or routine/location data?

  • EEI: home address discoverable via data-broker / public-record listing (per member)
  • EEI: school or activity location of minor(s) published or inferrable
  • EEI: staff member employment / address linkage visible in open sources
  • EEI: household routine or schedule inferrable from social content (spouse/partner, staff)
  • EEI: geotag / EXIF metadata leakage from household photos

PIR-2 - Social-engineering bridge: what social/online presence of spouse, partner, or children exposes the principal’s identity, relationships, or schedule?

  • EEI: spouse/partner account(s) attributable and publicly searchable
  • EEI: accounts that name, tag, or photo the principal directly
  • EEI: family-name linkage between member profile and principal’s identity
  • EEI: mutual contacts / friend lists discoverable (enumeration risk)
  • EEI: posts exposing principal’s travel, meetings, or daily schedule

PIR-3 - Credential / breach exposure: which household members have breach exposure usable as a social-engineering bridge to the principal?

  • EEI: email address(es) per member returned in breach/paste repositories
  • EEI: passwords or credential pairs associated with any household email/username
  • EEI: reused username across platforms (username → account pivot)
  • EEI: any household email used for corporate/financial accounts of the principal

PIR-4 - Staff access vector: what is the digital exposure posture of domestic/household staff and does it present a leverage or access vector?

  • EEI: staff member professional profile linkable to the principal’s household/address
  • EEI: breach/credential exposure of any staff member
  • EEI: social-media footprint of staff member referencing employer/residence detail
  • EEI: background-check derogatory indicators (public court/civil records)

Collection gaps / RFIs (running)

  • [member declined consent - note excluded scope] → route to §17 Gaps
  • [unresolved selector / ambiguous identity - note member] → route to §17 Gaps
  • [platform not lawfully accessible (private/closed)] → route to §17 Gaps

01 · Identity Anchor - Principal & Household Profile

The principal’s risk profile that weights the household exposure, plus the household roster. → feeds §5 Assessment Scope, Household Profile & Collection Plan; §6 Household Composition & Relationship Mapping.

Principal identity (context only - NOT a full footprint workup; that is OSINT-055)

  • Principal name / designation:
  • Public-profile level: [High / Medium / Low / Private]
  • Threat context / prior targeting:
  • Role / employer (as relevant to exposure risk):
  • Assessment as-of date:

Household roster (HH-ID per member)

One row per member. Duplicate as needed. Clone full per-member exposure blocks (§02–§04) per HH-ID.

  • [HH-1 - spouse/partner]
    • Legal name (as known / consented):
    • Age band: [Adult]
    • Consent status: [Consented / Declined / Excluded]
    • Selectors provided:
    • Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / disambiguation:
  • [HH-2 - child / minor]
    • Legal name (as known / consented):
    • Age band: [Minor]
    • Consent status: [Parent/guardian authorized]
    • Selectors provided:
    • Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / disambiguation:
  • [HH-3 - resident relative]
    • Legal name (as known / consented):
    • Age band:
    • Consent status:
    • Selectors provided:
    • Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / disambiguation:
  • [HH-4 - domestic staff]
    • Legal name (as known / consented):
    • Age band: [Adult]
    • Role:
    • Consent status:
    • Selectors provided:
    • Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / disambiguation:

02 · Selectors & Accounts - Per Household Member

Pivot core. Each selector is its own clonable block. Clone the full block per selector per member. → feeds §6 Household Composition & Relationship Mapping, §7–§10 Per-Member Digital Exposure sections.

Email addresses

→ feeds §7, §8, §9, §10 per-member exposure tables; §3 KJ-3 breach bridge.

  • [email - e.g. member@domain.com]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Linked accounts (account-discovery):
    • Breach / paste appearances:
    • Platforms registered to this email:
    • Linkage to principal’s accounts or domain:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← holehe, h8mail, hunter.io, dehashed
  • [email 2]

Usernames / handles

→ feeds §7, §8, §9, §10 per-member exposure; cross-contamination pivot (§11).

  • [handle - e.g. sarah_j_photos]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing it:
    • Content visible / scope of public posts:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← idcrawl, sherlock, whatsmyname
  • [handle 2]

Phone numbers

→ feeds §7, §8, §9, §10 per-member exposure; possible data-broker linkage.

  • [number - e.g. +1 555-0199]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Type / carrier: [mobile / landline / VoIP]
    • Linked apps / accounts:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← truecaller, callerid.com, carrier lookup
  • [number 2]

Social-media accounts

Clone per account per member. Include privacy-setting posture - open/closed drives exposure surface.

  • [platform - e.g. Instagram]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Handle / profile URL:
    • Account privacy: [Public / Private / Semi-restricted]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Status: [Active / Dormant / Deleted]
    • Principal tagged/mentioned:
    • Location / routine leakage:
    • Notes (content summary / affiliations):
  • [platform 2]

03 · Credential & Breach Exposure - Per Household Member

For each breach/paste hit: member, selector hit, breach source, data fields exposed, credential-reuse risk. → feeds §7–§10 per-member tables; §11 Cross-Contamination Pathways (social-engineering bridge, PIR-3); §14 Red Flags.

Breach / paste hits

Clone block per breach hit per member. Mark sensitive - handle as restricted data.

  • [breach event - e.g. 2021 service XYZ breach]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Selector hit (email / username):
    • Data fields exposed (e.g. password hash, address, phone):
    • Credential reuse risk (same password likely reused elsewhere): [High / Medium / Low]
    • Linkage risk to principal (shared domain, shared password):
    • Source / where identified:
    • Date observed:
    • Remediation required:
    • Notes / tool output: ← haveibeenpwned, h8mail, dehashed, IntelX
  • [breach event 2]

Password / credential indicators

  • [credential pattern or hash exposure]:
    • Member ID:
    • Reuse across accounts:
    • MFA status (if observable):
    • Notes:

Paste / data-leak dump appearances

  • [paste site / dark-web dump ref]:
    • Member ID:
    • Content summary:
    • Date:
    • Source grade:

04 · Dark-Web Presence & Household Mentions

Lawful, passive monitoring of dark-web forums, markets, and leak sites for household selectors or principal-linked household references. Do NOT exfiltrate breach data. → feeds §14 Red Flag / Notable Indicators; §11 Cross-Contamination Pathways.

Forum / market mentions - household selectors

Clone per mention. Flag immediately if real-time threat indicators found.

  • [mention - e.g. forum thread referencing member’s email]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Platform / site (tor address or named service):
    • Content summary (no exfiltration of PII dumps):
    • Threat indicator type: [credential for sale / dox post / targeting / other]
    • Date observed:
    • Urgency / escalation required: [Immediate / Priority / Routine]
    • Notes / tool output: ← Tor Browser (passive), IntelX, dehashed, SpyCloud (if licensed)
  • [mention 2]

Leaked household PII on paste sites

  • [paste ref]
    • Member ID:
    • PII fields present:
    • Source / URL:
    • Date:
    • Escalate to counsel / suppression:

Dox or targeting post referencing household

  • [post / thread ref]:
    • Member ID(s) named:
    • Content:
    • Threat level:
    • Escalation status:

05 · Digital Footprint & PII Exposure - Household-Wide

Data-broker, people-search, and public-record exposure for each household member. Focus: address linkage to principal, routine/location leakage, images, and published contact details. → feeds §7, §8, §9, §10 Per-Member Exposure; §11 Cross-Contamination Pathways; §12 Severity Register.

Data-broker / people-search listings

Clone block per listing per member. Note: minors’ listings warrant heightened sensitivity.

  • [broker / site - e.g. Spokeo / Whitepages / BeenVerified]
    • Member ID: [HH-1 / HH-2 / etc.]
    • URL / listing ref:
    • Data fields present: [name / address / phone / email / relatives / employer / photo]
    • Address linkage to principal’s residence: [Direct / Inferred / None]
    • Relative linkage (chains to principal):
    • Removable / opt-out available: [Yes / No / Partial]
    • Opt-out URL:
    • Notes: ← Spokeo, Whitepages, BeenVerified, Intelius, MyLife, FastPeopleSearch
  • [broker 2]

Social-media PII leakage (household-wide surface)

  • [post / page ref - e.g. school event tagged with home neighborhood]
    • Member ID:
    • PII disclosed: [address / school / routine / photo / location tag]
    • Cross-contamination value:
    • Source / URL:
    • Removable:

Image / media exposure with geolocation or metadata

→ feeds §13 Verified Findings; §14 Red Flags (real-time location leakage).

  • [image ref - e.g. profile photo on member’s Instagram]
    • Member ID:
    • Source / URL:
    • EXIF / geotag data present:
    • Location disclosed:
    • Reverse-image hits (additional exposure):
    • Notes / tool output: ← ExifTool, Google Images reverse, TinEye, Yandex Images

School / activity / employer listings

Particularly relevant for minors (school location) and staff (employer-reference exposure).

  • [listing / directory ref]
    • Member ID:
    • Type: [school directory / sports team / employer profile / alumni list]
    • Location / routine info disclosed:
    • Linkage to principal:
    • Removable:

06 · Infrastructure - Household Digital Assets

Domains, personal websites, email domains, apps, and accounts that are household-owned or registered to a household member, and which may expose the principal or the household. → feeds §5 Collection Plan; §11 Cross-Contamination (shared infrastructure); §12 Severity Register.

Personal domains / websites registered to household members

Clone per domain.

  • [domain - e.g. smithfamily.net]
    • Member ID: [HH-1 / HH-2 / etc.]
    • Registrant name / email (WHOIS):
    • Hosting / IP:
    • Content exposing household:
    • Privacy / WHOIS protection in place: [Yes / No]
    • Notes / tool output: ← whois, crt.sh, ARIN/RIPE, Shodan
  • [domain 2]

Shared email / family domain

  • [family email domain - e.g. @familydomain.com]
    • Members using this domain:
    • Domain registrant:
    • Breach exposure on domain:
    • Notes:

Cloud / storage account exposure (observable)

  • [account type - e.g. iCloud shared family album publicly indexed]:
    • Member ID:
    • Exposure type:
    • Source:

Smart-home / IoT (surface-observable only)

Note: deep technical assessment of home network/IoT is out of scope for OSINT-044 (separate product). Capture only what is passively and lawfully observable (e.g., a security camera feed indexed publicly).

  • [observable item]:
    • Source:
    • Exposure type:
    • Cross-contamination value:

07 · Attack Surface & Cross-Contamination Pathways

Chain individual member exposures into adversary pathways. Pathway types: social-engineering bridge, physical approach via routine, leverage/coercion, staff access vector. → feeds §11 Cross-Contamination & Leverage Pathways; §12 Household-Wide Severity Register; §14 Red Flags.

Social-engineering bridge pathways

An adversary exploits a member’s account or relationship to reach the principal.

  • [pathway - e.g. adversary contacts principal via compromised spouse email]
    • Enabling member exposures: [HH-1 email breach + public contact detail]
    • Adversary capability assumed:
    • Harm to principal:
    • Disrupting remediation:
    • Severity: [Critical / High / Elevated / Moderate / Low]
  • [pathway 2]

Physical-approach via routine pathways

Adversary uses publicly observable household routine (school run, gym, staff movements) to locate or approach the principal.

  • [pathway - e.g. child’s school location + pick-up routine inferable from parent’s posts]
    • Enabling member exposures:
    • Adversary capability assumed:
    • Harm to principal:
    • Disrupting remediation:
    • Severity:

Leverage / coercion pathways

Adversary threatens or exploits exposed member data (e.g., minor’s photos, staff’s breach exposure).

  • [pathway - e.g. minor’s images/location used as coercion leverage]
    • Enabling member exposures:
    • Adversary capability assumed:
    • Harm to principal:
    • Disrupting remediation:
    • Severity:

Staff access-vector pathways

Staff member with physical-access knowledge is compromised or susceptible.

  • [pathway - e.g. nanny’s breach-exposed credentials → adversary social-engineers routine info]
    • Enabling member exposures:
    • Adversary capability assumed:
    • Harm to principal:
    • Disrupting remediation:
    • Severity:

08 · Attribution & Threat Actors

Only if specific targeting of the household is suspected or evidenced. Link back to OSINT-004 / OSINT-051 if a threat-actor investigation is required (out of scope for OSINT-044). → feeds §15 ACH; §3 Key Judgments; §14 Red Flags.

Known / suspected threat actors (if tasked)

  • [actor / handle / group]
    • Basis for suspicion:
    • Household selectors in actor’s possession (evidenced):
    • Indicator type:
    • Cross-ref to external product: [OSINT-004 / OSINT-051]
    • Source grade:

Threat-actor TTPs relevant to household exposure (contextual)

  • [TTP - e.g. spear-phish via family member account]
    • Relevance to this household:
    • Applicable pathway (cross-ref §07):

99 · Collection Admin

Working register - not a deliverable section; the audit and chain-of-custody trail behind the deliverable.

Source register

Every material datum traceable to a graded source. Admiralty two-axis grading.

  • [S-1 - source name / type]
    • Member(s) referenced:
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • URL / reference:
  • [S-2]
  • [S-3]

Evidence archive

Screenshot / capture references with hash, URL, timestamp, and chain-of-custody pointer. → feeds Appendix D.

  • [capture ref + SHA-256 hash + URL + timestamp]:
  • [capture ref 2]:

Per-member broker-removal register

Track opt-out submissions per broker per member. → feeds Appendix E.

  • [broker - e.g. Spokeo]
    • Member ID:
    • Opt-out submitted:
    • Confirmation received:
    • Verified removed:
  • [broker 2]

Open gaps / verification pending

Items submitted for collection but not yet returned or resolved. → feeds §17 Collection Gaps & RFIs.

  • [item / member / gap description - route to §17]
  • [item 2]

Collection integrity notes

  • Footprint-minimization measures applied:
  • Consent gate confirmed per member:
  • Minors’ data heightened-sensitivity handling confirmed:
  • Publicly-available-only boundary confirmed (no account access, no breach-data exfiltration):
  • Legal/counsel escalation items: