[DIGITAL IDENTITY / PRINCIPAL] - Collection Map
OSINT-055 Digital Footprint & Exposure Assessment - collection workspace. Central topic = the principal’s digital identity and attack surface. Branches are the data-point categories for this digital-footprint & exposure assessment. Drop each collected value as a child node; expand with where found. Paste raw tool output into node Notes. → feeds deliverable OSINT-055. Consent-based, lawful open-source collection only. No account access; no breach-data exfiltration. All findings are time-bound to the stated assessment window.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer. Tick each EEI as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §19 Collection Gaps.
PIR-1 - Physical-Nexus: What home/location data is openly discoverable and through which sources?
- EEI: primary residential address surfaced via data-broker / people-search listings
- EEI: secondary residences or property records tied to the principal
- EEI: geotag / check-in / live-stream leakage enabling real-time location inference
- EEI: vehicle or registration hints discoverable via open sources
- EEI: routine or pattern-of-life signals surfaced from social posts
PIR-2 - Credential & Breach: Which of the principal’s selectors appear in breach corpora, and what data classes are exposed?
- EEI: email addresses confirmed in public breach-exposure checks
- EEI: data classes implicated (password hash, plaintext, security-Q, SSN fragment, DOB)
- EEI: credential reuse risk across critical accounts (email, financial, SSO)
- EEI: recency of the most recent exposure event
PIR-3 - Social Media: What does the principal’s social footprint expose and to whom?
- EEI: all attributable platform accounts enumerated with privacy-setting posture
- EEI: overexposed routine / location / relationship / travel content identified
- EEI: image-metadata / geolocation leakage in posted media
- EEI: connection-graph reachability (what adversary can infer from followers/connections)
PIR-4 - Technical & Infrastructure: What externally visible technical surface is tied to the principal?
- EEI: personal domains registered and WHOIS/registration data exposure
- EEI: self-hosted services or public-facing IP/hostname leakage
- EEI: open-source service banners discoverable via passive means
PIR-5 - Harm Pathways: How do enumerated exposures chain into concrete attack scenarios?
- EEI: doxxing pathway - exposures enabling home-address deanonymization
- EEI: social-engineering / pretext pathway - exposures enabling impersonation or lure
- EEI: account-takeover (ATO) pathway - credential reuse + recovery-vector exposure
- EEI: physical-approach / surveillance pathway - real-time or near-real-time location leakage
Collection gaps / RFIs (running)
- [open selector - unresolved handle / phone / email] → route to §19
- [suspected broker listing not confirmed] → verify via manual opt-out check
- [platform inaccessible via lawful open means] → note as coverage gap in §19
01 · Identity Anchor
Establish the principal’s identity before any exposure is attributed - every downstream finding is only as good as the selector→principal link. → feeds §6 Identity & Selector Inventory.
Legal / Known Names
- Full legal name:
- Name variants / former names:
- Nicknames / AKAs:
- Native-script / transliterations:
Biographic Anchors (for disambiguation)
- DOB / YOB:
- City / region of residence (general):
- Role / public-profile level:
- Threat context / reason for assessment:
Identity-Resolution Confidence Statement
- Same-name candidates identified & excluded:
- Misattribution risk (common name / shared identifier): [High / Medium / Low]
- Overall selector→principal confidence: [Confirmed / Probable / Possible]
02 · Selectors & Accounts
The pivot core of the assessment. Each selector is its own clonable block. Clone per value. → feeds §6 Identity & Selector Inventory, §7 Surface-Web Footprint, §8 Social Media.
Email Addresses
→ feeds §6, §10 Credential & Breach Exposure. Tool hints: holehe, h8mail, hunter.io, have-i-been-pwned (lawful check only).
- [email - e.g. principal@domain.com]
- Linked accounts (account-discovery):
- Breach / paste appearances:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [email 2]
Usernames / Handles
→ feeds §6, §7, §8. Tool hints: sherlock, whatsmyname, idcrawl - lawful public enumeration only.
- [handle - e.g. principal_handle]
- Platforms / where found (URL):
- Linked email(s):
- Linked phone(s):
- Other accounts reusing this handle:
- Privacy posture per platform: [Open / Partial / Locked]
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [handle 2]
Phone Numbers
→ feeds §6, §9 Data-Broker Exposure. Tool hints: truecaller, sync.me (public lookup only).
- [number - e.g. +1 555-0199]
- Type / carrier: [Mobile / Landline / VoIP]
- Linked accounts / apps (WhatsApp / Telegram public presence):
- Data-broker listings surfacing this number:
- Where found (source + URL):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [number 2]
Personal Domains / Web Properties
→ feeds §11 Technical & Infrastructure Footprint. Tool hints: whois, who.is, viewdns.info.
- [domain - e.g. principalname.com]
- Registrant / WHOIS exposure:
- Hosting / IP:
- Historical registrant data (WHOIS history):
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output:
- [domain 2]
03 · Credential & Breach Exposure
Exposure of the principal’s selectors in known public breach corpora - lawful exposure-checking only (no acquisition, decryption, or use of breached secrets). → feeds §10 Credential & Breach Exposure, §13 Exposure-to-Harm Pathways (ATO pathway).
Breach Exposures
Tool hints: have-i-been-pwned API (lawful public check), DeHashed public lookup, Snusbase public check. No exfiltration or download of breached datasets.
- [exposed selector - e.g. email / phone]
- Breach / exposure class (source dataset name):
- Data classes implicated: [e.g., email+password-hash / plaintext / security-Q / DOB / SSN-fragment]
- Breach date / disclosure date:
- Reuse / ATO risk assessment: [Critical / High / Elevated / Moderate / Low]
- Source grade:
- Notes / tool output:
- [exposed selector 2]
Paste / Public-Dump Appearances
- [paste site + reference]:
- Content (data class only, no secrets):
- Date:
- Source grade:
- Notes / tool output:
Credential-Reuse Risk Mapping
- Critical accounts at risk (email providers / banking / SSO):
- MFA enrolled on critical accounts (as far as lawfully observable):
- Recovery-vector exposure (recovery email / phone exposed in breach):
04 · Dark-Web Presence
Mentions, listings, or trade of the principal’s PII or credentials on dark-web markets, forums, or leak sites - assessed via lawful passive means. Deep dark-web / forum trade analysis is deferred to OSINT-058. → feeds §10 Credential & Breach Exposure, §16 Red Flag Indicators.
Dark-Web Mention / Listing
Tool hints: lawful dark-web monitoring services (Constella, SpyCloud public layer, open leak-site aggregators) - no purchase or interaction with criminal infrastructure.
- [mention / listing reference]
- Platform / site type: [market / forum / leak site / paste aggregator]
- Data class referenced:
- Date observed:
- Threat context (who posted, what claimed):
- Red-flag level: [Critical / High / Elevated]
- Source grade:
- Notes / tool output:
- [mention 2]
Leaked-Document / Dox Threads
- [thread / post reference]:
- Content summary (no PII):
- Origination date:
- Still accessible / mirrored:
05 · Digital Footprint & PII Exposure
Open, surface-web discoverable PII - general search, data-broker / people-search aggregators, directory listings, cached / archived content, image results. → feeds §7 Surface-Web Footprint, §9 Personal-Data-Broker & People-Search Exposure, §12 Physical-Nexus Exposure.
Surface-Web Footprint Items
Tool hints: Google / Bing / DuckDuckGo dorking, Google Cache, Wayback Machine, archive.ph.
- [footprint item - e.g. bio page / directory listing / press mention]
- Where discoverable (source class + URL):
- Selector linked:
- Sensitivity: [High / Medium / Low]
- Removable?: [Yes / No / Partial]
- Notes:
- [footprint item 2]
Data-Broker / People-Search Listings
Tool hints: manual review of Spokeo / WhitePages / Radaris / FastPeopleSearch / Intelius category - no paid query; lawful public-tier only.
- [broker / aggregator class - e.g. address-aggregator]
- Exposed fields: [home address / phone / relatives / DOB / property / email]
- Cross-links (relatives / additional addresses surfaced):
- Suppression / opt-out path:
- Removal status: [Open / Submitted / Removed / Partial]
- Notes:
- [broker class 2]
Social Media Accounts (per platform)
Clone per platform. → feeds §8 Social Media & Networking Exposure.
- [platform - e.g. LinkedIn / X / Instagram / Facebook / TikTok / YouTube]
- Handle / URL:
- Attribution confidence: [Confirmed / Probable / Possible]
- Privacy posture: [Open / Partial / Locked]
- Exposed elements: [location / routine / relationships / travel / home / media]
- Image / geotag leakage:
- Connection-graph exposure (followers / following visibility):
- Notes:
- [platform 2]
Cached / Archived Content
- [archived URL - Wayback / cache ref]
- Content:
- Date of original:
- Still live:
06 · Infrastructure
Externally visible technical surface tied to the principal: personal domains, IPs, self-hosted services, passive banner information. → feeds §11 Technical & Infrastructure Footprint.
Domain & WHOIS Exposure
Tool hints: whois, viewdns.info, dnsdumpster, SecurityTrails (passive/public tier), crt.sh for certificate transparency.
- [domain / subdomain]
- WHOIS registrant exposure (name / email / address visible):
- Registrar:
- Registration / expiry dates:
- DNS records of note (MX / SPF / TXT revealing hosting):
- Historical registrant data change:
- Notes / tool output:
- [domain 2]
IP / Hosting Exposure
Tool hints: Shodan (passive/public layer), Censys public, GreyNoise public - passive enumeration only.
- [IP / hostname]
- Associated service / banner:
- Geolocation:
- Linked to principal via:
- Risk:
- Notes / tool output:
Certificate Transparency
Tool hints: crt.sh, censys.io certificate search.
- [certificate / SAN entry]:
- Issued to / common name:
- Issuer:
- Date range:
Email Infrastructure (MX / SPF leakage)
- [email infrastructure finding]:
- What it exposes:
07 · Attack Surface & Vulnerabilities
How enumerated exposures combine into exploitable attack surface: physical-nexus enablement, social-engineering pre-text material, account-recovery vectors, and identity-aggregation risk. → feeds §13 Exposure-to-Harm Pathways, §14 Exposure Severity Register, §16 Red Flag Indicators.
Physical-Nexus Exposure Items
→ feeds §12 Physical-Nexus Exposure. Items that enable physical targeting or approach.
- [physical-nexus item - e.g. home address in data broker + property record]
- Source class:
- What it enables (targeting value): [e.g., home approach / vehicle identification / routine prediction]
- Severity: [Critical / High / Elevated / Moderate / Low]
- Mitigation lane: [suppression / address-shielding / behavioral]
- Notes:
- [physical-nexus item 2]
Harm Pathway - Doxxing
- Enabling exposures (cross-ref § and item):
- Adversary capability assumed:
- Disrupting remediation:
Harm Pathway - Social Engineering / Pretext
- Enabling exposures:
- Adversary capability assumed:
- Disrupting remediation:
Harm Pathway - Account Takeover (ATO)
- Enabling exposures (credential breach + recovery vector):
- Adversary capability assumed:
- Disrupting remediation:
Harm Pathway - Physical Approach / Surveillance
- Enabling exposures (geotag / real-time leakage / pattern-of-life):
- Adversary capability assumed:
- Disrupting remediation:
Exposure Severity Register (working)
Populate here during collection; migrate to §14 register in the deliverable.
- [E-1 - exposure item]
- Likelihood (exploitability, 1–5):
- Impact (harm if used, 1–5):
- Inherent score (L×I):
- Band: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate 6–10 / Low 1–5]
- Remediation:
- Residual score:
- [E-2]
08 · Attribution & Threat Actors
Who may be targeting or monitoring the principal, and what their likely capability and intent are. Attribution here is adversary-side context for weighting harm-pathway likelihood. Full adversary investigation is deferred to OSINT-004 / OSINT-051. → feeds §3 Key Judgments (KJ likelihood column), §13 Harm Pathways, §17 ACH, §18 KAC.
Known or Suspected Threat Context
- Threat category: [e.g., stalker / domestic / criminal / corporate adversary / activist / state]
- Known prior incidents:
- Online chatter / threat signals observed:
- Source grade:
Adversary Capability Assessment (for pathway weighting)
- Technical capability assumed: [Sophisticated / Moderate / Low]
- OSINT capability assumed:
- Basis for assessment:
ACH Working Notes
→ feeds §17 Analysis of Competing Hypotheses.
- H1 (working hypothesis on exploitability):
- H2 (alternative):
- Most diagnostic evidence collected:
- Evidence inconsistent with primary hypothesis:
Key Assumptions (for KAC)
→ feeds §18 Key Assumptions Check.
- [assumption - e.g. selector enumeration is complete]
- Basis:
- Confidence:
- Impact if wrong:
- [assumption 2]
99 · Collection Admin
Working register - audit trail behind the deliverable. Not a deliverable section itself.
Source Register
Every material datum traceable to a graded source. Admiralty two-axis code: Reliability A–F / Credibility 1–6.
- [S-1 - source / item]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed:
- Notes:
- [S-2]
Evidence Archive
Captures support §15 Verified Findings and Appendix D chain-of-custody pointer.
- [screenshot / archive ref - URL + timestamp + hash]:
- Capture method:
- Stored at:
Broker-Removal Register
Tracks opt-out / suppression actions. → feeds §9 and Appendix E.
- [broker / aggregator]
- Fields exposed:
- Opt-out method:
- Date submitted:
- Date confirmed removed:
- Re-appearance check due:
Open Gaps / RFIs
→ feeds §19 Collection Gaps & RFIs in the deliverable.
- [unresolved selector or platform - impact on assessment - recommended lawful collection - priority]
- [suspected but unconfirmed broker listing]
- [platform inaccessible via lawful open means]
Remediation Tracker (pre-report)
Seed for §20 Remediation Plan. Tracks items identified during collection for analyst review before finalizing.
- [remediation item]
- Lane: [suppress / harden / behavioral]
- Owner:
- Priority: [Critical / High / Elevated / Moderate / Low]
- Dependency / sequencing:
- Status: [Open / In Progress / Complete]