[HOUSEHOLD / FAMILY NAME] - Collection Map
OSINT-044 Family & Household Digital Exposure Assessment - collection workspace. Central topic = the household constellation (principal’s family, resident relatives, domestic staff). Branches = data-point categories for household-wide digital exposure and cross-contamination. Drop each collected value as a child node; expand it with where it was found and which member it concerns. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-044.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + essential elements of information (EEI) as checkboxes. Tick as satisfied. → drives §3 Key Judgments, §4 PIRs, §13 Verified Findings, §17 Collection Gaps.
PIR-1 - Physical approach via household routine: which members expose home address or routine/location data?
- EEI: home address discoverable via data-broker / public-record listing (per member)
- EEI: school or activity location of minor(s) published or inferrable
- EEI: staff member employment / address linkage visible in open sources
- EEI: household routine or schedule inferrable from social content (spouse/partner, staff)
- EEI: geotag / EXIF metadata leakage from household photos
PIR-2 - Social-engineering bridge: what social/online presence of spouse, partner, or children exposes the principal’s identity, relationships, or schedule?
- EEI: spouse/partner account(s) attributable and publicly searchable
- EEI: accounts that name, tag, or photo the principal directly
- EEI: family-name linkage between member profile and principal’s identity
- EEI: mutual contacts / friend lists discoverable (enumeration risk)
- EEI: posts exposing principal’s travel, meetings, or daily schedule
PIR-3 - Credential / breach exposure: which household members have breach exposure usable as a social-engineering bridge to the principal?
- EEI: email address(es) per member returned in breach/paste repositories
- EEI: passwords or credential pairs associated with any household email/username
- EEI: reused username across platforms (username → account pivot)
- EEI: any household email used for corporate/financial accounts of the principal
PIR-4 - Staff access vector: what is the digital exposure posture of domestic/household staff and does it present a leverage or access vector?
- EEI: staff member professional profile linkable to the principal’s household/address
- EEI: breach/credential exposure of any staff member
- EEI: social-media footprint of staff member referencing employer/residence detail
- EEI: background-check derogatory indicators (public court/civil records)
Collection gaps / RFIs (running)
- [member declined consent - note excluded scope] → route to §17 Gaps
- [unresolved selector / ambiguous identity - note member] → route to §17 Gaps
- [platform not lawfully accessible (private/closed)] → route to §17 Gaps
01 · Identity Anchor - Principal & Household Profile
The principal’s risk profile that weights the household exposure, plus the household roster. → feeds §5 Assessment Scope, Household Profile & Collection Plan; §6 Household Composition & Relationship Mapping.
Principal identity (context only - NOT a full footprint workup; that is OSINT-055)
- Principal name / designation:
- Public-profile level: [High / Medium / Low / Private]
- Threat context / prior targeting:
- Role / employer (as relevant to exposure risk):
- Assessment as-of date:
Household roster (HH-ID per member)
One row per member. Duplicate as needed. Clone full per-member exposure blocks (§02–§04) per HH-ID.
- [HH-1 - spouse/partner]
- Legal name (as known / consented):
- Age band: [Adult]
- Consent status: [Consented / Declined / Excluded]
- Selectors provided:
- Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / disambiguation:
- [HH-2 - child / minor]
- Legal name (as known / consented):
- Age band: [Minor]
- Consent status: [Parent/guardian authorized]
- Selectors provided:
- Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / disambiguation:
- [HH-3 - resident relative]
- Legal name (as known / consented):
- Age band:
- Consent status:
- Selectors provided:
- Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / disambiguation:
- [HH-4 - domestic staff]
- Legal name (as known / consented):
- Age band: [Adult]
- Role:
- Consent status:
- Selectors provided:
- Resolution confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / disambiguation:
02 · Selectors & Accounts - Per Household Member
Pivot core. Each selector is its own clonable block. Clone the full block per selector per member. → feeds §6 Household Composition & Relationship Mapping, §7–§10 Per-Member Digital Exposure sections.
Email addresses
→ feeds §7, §8, §9, §10 per-member exposure tables; §3 KJ-3 breach bridge.
- [email - e.g. member@domain.com]
- Member ID: [HH-1 / HH-2 / etc.]
- Linked accounts (account-discovery):
- Breach / paste appearances:
- Platforms registered to this email:
- Linkage to principal’s accounts or domain:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← holehe, h8mail, hunter.io, dehashed
- [email 2]
Usernames / handles
→ feeds §7, §8, §9, §10 per-member exposure; cross-contamination pivot (§11).
- [handle - e.g. sarah_j_photos]
- Member ID: [HH-1 / HH-2 / etc.]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Other accounts reusing it:
- Content visible / scope of public posts:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← idcrawl, sherlock, whatsmyname
- [handle 2]
Phone numbers
→ feeds §7, §8, §9, §10 per-member exposure; possible data-broker linkage.
- [number - e.g. +1 555-0199]
- Member ID: [HH-1 / HH-2 / etc.]
- Type / carrier: [mobile / landline / VoIP]
- Linked apps / accounts:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← truecaller, callerid.com, carrier lookup
- [number 2]
Social-media accounts
Clone per account per member. Include privacy-setting posture - open/closed drives exposure surface.
- [platform - e.g. Instagram]
- Member ID: [HH-1 / HH-2 / etc.]
- Handle / profile URL:
- Account privacy: [Public / Private / Semi-restricted]
- Attribution confidence: [Confirmed / Probable / Possible]
- Status: [Active / Dormant / Deleted]
- Principal tagged/mentioned:
- Location / routine leakage:
- Notes (content summary / affiliations):
- [platform 2]
03 · Credential & Breach Exposure - Per Household Member
For each breach/paste hit: member, selector hit, breach source, data fields exposed, credential-reuse risk. → feeds §7–§10 per-member tables; §11 Cross-Contamination Pathways (social-engineering bridge, PIR-3); §14 Red Flags.
Breach / paste hits
Clone block per breach hit per member. Mark sensitive - handle as restricted data.
- [breach event - e.g. 2021 service XYZ breach]
- Member ID: [HH-1 / HH-2 / etc.]
- Selector hit (email / username):
- Data fields exposed (e.g. password hash, address, phone):
- Credential reuse risk (same password likely reused elsewhere): [High / Medium / Low]
- Linkage risk to principal (shared domain, shared password):
- Source / where identified:
- Date observed:
- Remediation required:
- Notes / tool output: ← haveibeenpwned, h8mail, dehashed, IntelX
- [breach event 2]
Password / credential indicators
- [credential pattern or hash exposure]:
- Member ID:
- Reuse across accounts:
- MFA status (if observable):
- Notes:
Paste / data-leak dump appearances
- [paste site / dark-web dump ref]:
- Member ID:
- Content summary:
- Date:
- Source grade:
04 · Dark-Web Presence & Household Mentions
Lawful, passive monitoring of dark-web forums, markets, and leak sites for household selectors or principal-linked household references. Do NOT exfiltrate breach data. → feeds §14 Red Flag / Notable Indicators; §11 Cross-Contamination Pathways.
Forum / market mentions - household selectors
Clone per mention. Flag immediately if real-time threat indicators found.
- [mention - e.g. forum thread referencing member’s email]
- Member ID: [HH-1 / HH-2 / etc.]
- Platform / site (tor address or named service):
- Content summary (no exfiltration of PII dumps):
- Threat indicator type: [credential for sale / dox post / targeting / other]
- Date observed:
- Urgency / escalation required: [Immediate / Priority / Routine]
- Notes / tool output: ← Tor Browser (passive), IntelX, dehashed, SpyCloud (if licensed)
- [mention 2]
Leaked household PII on paste sites
- [paste ref]
- Member ID:
- PII fields present:
- Source / URL:
- Date:
- Escalate to counsel / suppression:
Dox or targeting post referencing household
- [post / thread ref]:
- Member ID(s) named:
- Content:
- Threat level:
- Escalation status:
05 · Digital Footprint & PII Exposure - Household-Wide
Data-broker, people-search, and public-record exposure for each household member. Focus: address linkage to principal, routine/location leakage, images, and published contact details. → feeds §7, §8, §9, §10 Per-Member Exposure; §11 Cross-Contamination Pathways; §12 Severity Register.
Data-broker / people-search listings
Clone block per listing per member. Note: minors’ listings warrant heightened sensitivity.
- [broker / site - e.g. Spokeo / Whitepages / BeenVerified]
- Member ID: [HH-1 / HH-2 / etc.]
- URL / listing ref:
- Data fields present: [name / address / phone / email / relatives / employer / photo]
- Address linkage to principal’s residence: [Direct / Inferred / None]
- Relative linkage (chains to principal):
- Removable / opt-out available: [Yes / No / Partial]
- Opt-out URL:
- Notes: ← Spokeo, Whitepages, BeenVerified, Intelius, MyLife, FastPeopleSearch
- [broker 2]
Social-media PII leakage (household-wide surface)
- [post / page ref - e.g. school event tagged with home neighborhood]
- Member ID:
- PII disclosed: [address / school / routine / photo / location tag]
- Cross-contamination value:
- Source / URL:
- Removable:
Image / media exposure with geolocation or metadata
→ feeds §13 Verified Findings; §14 Red Flags (real-time location leakage).
- [image ref - e.g. profile photo on member’s Instagram]
- Member ID:
- Source / URL:
- EXIF / geotag data present:
- Location disclosed:
- Reverse-image hits (additional exposure):
- Notes / tool output: ← ExifTool, Google Images reverse, TinEye, Yandex Images
School / activity / employer listings
Particularly relevant for minors (school location) and staff (employer-reference exposure).
- [listing / directory ref]
- Member ID:
- Type: [school directory / sports team / employer profile / alumni list]
- Location / routine info disclosed:
- Linkage to principal:
- Removable:
06 · Infrastructure - Household Digital Assets
Domains, personal websites, email domains, apps, and accounts that are household-owned or registered to a household member, and which may expose the principal or the household. → feeds §5 Collection Plan; §11 Cross-Contamination (shared infrastructure); §12 Severity Register.
Personal domains / websites registered to household members
Clone per domain.
- [domain - e.g. smithfamily.net]
- Member ID: [HH-1 / HH-2 / etc.]
- Registrant name / email (WHOIS):
- Hosting / IP:
- Content exposing household:
- Privacy / WHOIS protection in place: [Yes / No]
- Notes / tool output: ← whois, crt.sh, ARIN/RIPE, Shodan
- [domain 2]
Shared email / family domain
- [family email domain - e.g. @familydomain.com]
- Members using this domain:
- Domain registrant:
- Breach exposure on domain:
- Notes:
Cloud / storage account exposure (observable)
- [account type - e.g. iCloud shared family album publicly indexed]:
- Member ID:
- Exposure type:
- Source:
Smart-home / IoT (surface-observable only)
Note: deep technical assessment of home network/IoT is out of scope for OSINT-044 (separate product). Capture only what is passively and lawfully observable (e.g., a security camera feed indexed publicly).
- [observable item]:
- Source:
- Exposure type:
- Cross-contamination value:
07 · Attack Surface & Cross-Contamination Pathways
Chain individual member exposures into adversary pathways. Pathway types: social-engineering bridge, physical approach via routine, leverage/coercion, staff access vector. → feeds §11 Cross-Contamination & Leverage Pathways; §12 Household-Wide Severity Register; §14 Red Flags.
Social-engineering bridge pathways
An adversary exploits a member’s account or relationship to reach the principal.
- [pathway - e.g. adversary contacts principal via compromised spouse email]
- Enabling member exposures: [HH-1 email breach + public contact detail]
- Adversary capability assumed:
- Harm to principal:
- Disrupting remediation:
- Severity: [Critical / High / Elevated / Moderate / Low]
- [pathway 2]
Physical-approach via routine pathways
Adversary uses publicly observable household routine (school run, gym, staff movements) to locate or approach the principal.
- [pathway - e.g. child’s school location + pick-up routine inferable from parent’s posts]
- Enabling member exposures:
- Adversary capability assumed:
- Harm to principal:
- Disrupting remediation:
- Severity:
Leverage / coercion pathways
Adversary threatens or exploits exposed member data (e.g., minor’s photos, staff’s breach exposure).
- [pathway - e.g. minor’s images/location used as coercion leverage]
- Enabling member exposures:
- Adversary capability assumed:
- Harm to principal:
- Disrupting remediation:
- Severity:
Staff access-vector pathways
Staff member with physical-access knowledge is compromised or susceptible.
- [pathway - e.g. nanny’s breach-exposed credentials → adversary social-engineers routine info]
- Enabling member exposures:
- Adversary capability assumed:
- Harm to principal:
- Disrupting remediation:
- Severity:
08 · Attribution & Threat Actors
Only if specific targeting of the household is suspected or evidenced. Link back to OSINT-004 / OSINT-051 if a threat-actor investigation is required (out of scope for OSINT-044). → feeds §15 ACH; §3 Key Judgments; §14 Red Flags.
Known / suspected threat actors (if tasked)
- [actor / handle / group]
- Basis for suspicion:
- Household selectors in actor’s possession (evidenced):
- Indicator type:
- Cross-ref to external product: [OSINT-004 / OSINT-051]
- Source grade:
Threat-actor TTPs relevant to household exposure (contextual)
- [TTP - e.g. spear-phish via family member account]
- Relevance to this household:
- Applicable pathway (cross-ref §07):
99 · Collection Admin
Working register - not a deliverable section; the audit and chain-of-custody trail behind the deliverable.
Source register
Every material datum traceable to a graded source. Admiralty two-axis grading.
- [S-1 - source name / type]
- Member(s) referenced:
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- URL / reference:
- [S-2]
- [S-3]
Evidence archive
Screenshot / capture references with hash, URL, timestamp, and chain-of-custody pointer. → feeds Appendix D.
- [capture ref + SHA-256 hash + URL + timestamp]:
- [capture ref 2]:
Per-member broker-removal register
Track opt-out submissions per broker per member. → feeds Appendix E.
- [broker - e.g. Spokeo]
- Member ID:
- Opt-out submitted:
- Confirmation received:
- Verified removed:
- [broker 2]
Open gaps / verification pending
Items submitted for collection but not yet returned or resolved. → feeds §17 Collection Gaps & RFIs.
- [item / member / gap description - route to §17]
- [item 2]
Collection integrity notes
- Footprint-minimization measures applied:
- Consent gate confirmed per member:
- Minors’ data heightened-sensitivity handling confirmed:
- Publicly-available-only boundary confirmed (no account access, no breach-data exfiltration):
- Legal/counsel escalation items: