[DIGITAL IDENTITY / PRINCIPAL] - Collection Map

OSINT-055 Digital Footprint & Exposure Assessment - collection workspace. Central topic = the principal’s digital identity and attack surface. Branches are the data-point categories for this digital-footprint & exposure assessment. Drop each collected value as a child node; expand with where found. Paste raw tool output into node Notes. → feeds deliverable OSINT-055. Consent-based, lawful open-source collection only. No account access; no breach-data exfiltration. All findings are time-bound to the stated assessment window.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer. Tick each EEI as satisfied. → drives §3 Key Judgments, §4 PIRs, §15 Verified Findings Summary, §19 Collection Gaps.

PIR-1 - Physical-Nexus: What home/location data is openly discoverable and through which sources?

  • EEI: primary residential address surfaced via data-broker / people-search listings
  • EEI: secondary residences or property records tied to the principal
  • EEI: geotag / check-in / live-stream leakage enabling real-time location inference
  • EEI: vehicle or registration hints discoverable via open sources
  • EEI: routine or pattern-of-life signals surfaced from social posts

PIR-2 - Credential & Breach: Which of the principal’s selectors appear in breach corpora, and what data classes are exposed?

  • EEI: email addresses confirmed in public breach-exposure checks
  • EEI: data classes implicated (password hash, plaintext, security-Q, SSN fragment, DOB)
  • EEI: credential reuse risk across critical accounts (email, financial, SSO)
  • EEI: recency of the most recent exposure event

PIR-3 - Social Media: What does the principal’s social footprint expose and to whom?

  • EEI: all attributable platform accounts enumerated with privacy-setting posture
  • EEI: overexposed routine / location / relationship / travel content identified
  • EEI: image-metadata / geolocation leakage in posted media
  • EEI: connection-graph reachability (what adversary can infer from followers/connections)

PIR-4 - Technical & Infrastructure: What externally visible technical surface is tied to the principal?

  • EEI: personal domains registered and WHOIS/registration data exposure
  • EEI: self-hosted services or public-facing IP/hostname leakage
  • EEI: open-source service banners discoverable via passive means

PIR-5 - Harm Pathways: How do enumerated exposures chain into concrete attack scenarios?

  • EEI: doxxing pathway - exposures enabling home-address deanonymization
  • EEI: social-engineering / pretext pathway - exposures enabling impersonation or lure
  • EEI: account-takeover (ATO) pathway - credential reuse + recovery-vector exposure
  • EEI: physical-approach / surveillance pathway - real-time or near-real-time location leakage

Collection gaps / RFIs (running)

  • [open selector - unresolved handle / phone / email] → route to §19
  • [suspected broker listing not confirmed] → verify via manual opt-out check
  • [platform inaccessible via lawful open means] → note as coverage gap in §19

01 · Identity Anchor

Establish the principal’s identity before any exposure is attributed - every downstream finding is only as good as the selector→principal link. → feeds §6 Identity & Selector Inventory.

  • Full legal name:
  • Name variants / former names:
  • Nicknames / AKAs:
  • Native-script / transliterations:

Biographic Anchors (for disambiguation)

  • DOB / YOB:
  • City / region of residence (general):
  • Role / public-profile level:
  • Threat context / reason for assessment:

Identity-Resolution Confidence Statement

  • Same-name candidates identified & excluded:
  • Misattribution risk (common name / shared identifier): [High / Medium / Low]
  • Overall selector→principal confidence: [Confirmed / Probable / Possible]

02 · Selectors & Accounts

The pivot core of the assessment. Each selector is its own clonable block. Clone per value. → feeds §6 Identity & Selector Inventory, §7 Surface-Web Footprint, §8 Social Media.

Email Addresses

→ feeds §6, §10 Credential & Breach Exposure. Tool hints: holehe, h8mail, hunter.io, have-i-been-pwned (lawful check only).

  • [email - e.g. principal@domain.com]
    • Linked accounts (account-discovery):
    • Breach / paste appearances:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [email 2]

Usernames / Handles

→ feeds §6, §7, §8. Tool hints: sherlock, whatsmyname, idcrawl - lawful public enumeration only.

  • [handle - e.g. principal_handle]
    • Platforms / where found (URL):
    • Linked email(s):
    • Linked phone(s):
    • Other accounts reusing this handle:
    • Privacy posture per platform: [Open / Partial / Locked]
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [handle 2]

Phone Numbers

→ feeds §6, §9 Data-Broker Exposure. Tool hints: truecaller, sync.me (public lookup only).

  • [number - e.g. +1 555-0199]
    • Type / carrier: [Mobile / Landline / VoIP]
    • Linked accounts / apps (WhatsApp / Telegram public presence):
    • Data-broker listings surfacing this number:
    • Where found (source + URL):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [number 2]

Personal Domains / Web Properties

→ feeds §11 Technical & Infrastructure Footprint. Tool hints: whois, who.is, viewdns.info.

  • [domain - e.g. principalname.com]
    • Registrant / WHOIS exposure:
    • Hosting / IP:
    • Historical registrant data (WHOIS history):
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Notes / tool output:
  • [domain 2]

03 · Credential & Breach Exposure

Exposure of the principal’s selectors in known public breach corpora - lawful exposure-checking only (no acquisition, decryption, or use of breached secrets). → feeds §10 Credential & Breach Exposure, §13 Exposure-to-Harm Pathways (ATO pathway).

Breach Exposures

Tool hints: have-i-been-pwned API (lawful public check), DeHashed public lookup, Snusbase public check. No exfiltration or download of breached datasets.

  • [exposed selector - e.g. email / phone]
    • Breach / exposure class (source dataset name):
    • Data classes implicated: [e.g., email+password-hash / plaintext / security-Q / DOB / SSN-fragment]
    • Breach date / disclosure date:
    • Reuse / ATO risk assessment: [Critical / High / Elevated / Moderate / Low]
    • Source grade:
    • Notes / tool output:
  • [exposed selector 2]

Paste / Public-Dump Appearances

  • [paste site + reference]:
    • Content (data class only, no secrets):
    • Date:
    • Source grade:
    • Notes / tool output:

Credential-Reuse Risk Mapping

  • Critical accounts at risk (email providers / banking / SSO):
  • MFA enrolled on critical accounts (as far as lawfully observable):
  • Recovery-vector exposure (recovery email / phone exposed in breach):

04 · Dark-Web Presence

Mentions, listings, or trade of the principal’s PII or credentials on dark-web markets, forums, or leak sites - assessed via lawful passive means. Deep dark-web / forum trade analysis is deferred to OSINT-058. → feeds §10 Credential & Breach Exposure, §16 Red Flag Indicators.

Dark-Web Mention / Listing

Tool hints: lawful dark-web monitoring services (Constella, SpyCloud public layer, open leak-site aggregators) - no purchase or interaction with criminal infrastructure.

  • [mention / listing reference]
    • Platform / site type: [market / forum / leak site / paste aggregator]
    • Data class referenced:
    • Date observed:
    • Threat context (who posted, what claimed):
    • Red-flag level: [Critical / High / Elevated]
    • Source grade:
    • Notes / tool output:
  • [mention 2]

Leaked-Document / Dox Threads

  • [thread / post reference]:
    • Content summary (no PII):
    • Origination date:
    • Still accessible / mirrored:

05 · Digital Footprint & PII Exposure

Open, surface-web discoverable PII - general search, data-broker / people-search aggregators, directory listings, cached / archived content, image results. → feeds §7 Surface-Web Footprint, §9 Personal-Data-Broker & People-Search Exposure, §12 Physical-Nexus Exposure.

Surface-Web Footprint Items

Tool hints: Google / Bing / DuckDuckGo dorking, Google Cache, Wayback Machine, archive.ph.

  • [footprint item - e.g. bio page / directory listing / press mention]
    • Where discoverable (source class + URL):
    • Selector linked:
    • Sensitivity: [High / Medium / Low]
    • Removable?: [Yes / No / Partial]
    • Notes:
  • [footprint item 2]

Data-Broker / People-Search Listings

Tool hints: manual review of Spokeo / WhitePages / Radaris / FastPeopleSearch / Intelius category - no paid query; lawful public-tier only.

  • [broker / aggregator class - e.g. address-aggregator]
    • Exposed fields: [home address / phone / relatives / DOB / property / email]
    • Cross-links (relatives / additional addresses surfaced):
    • Suppression / opt-out path:
    • Removal status: [Open / Submitted / Removed / Partial]
    • Notes:
  • [broker class 2]

Social Media Accounts (per platform)

Clone per platform. → feeds §8 Social Media & Networking Exposure.

  • [platform - e.g. LinkedIn / X / Instagram / Facebook / TikTok / YouTube]
    • Handle / URL:
    • Attribution confidence: [Confirmed / Probable / Possible]
    • Privacy posture: [Open / Partial / Locked]
    • Exposed elements: [location / routine / relationships / travel / home / media]
    • Image / geotag leakage:
    • Connection-graph exposure (followers / following visibility):
    • Notes:
  • [platform 2]

Cached / Archived Content

  • [archived URL - Wayback / cache ref]
    • Content:
    • Date of original:
    • Still live:

06 · Infrastructure

Externally visible technical surface tied to the principal: personal domains, IPs, self-hosted services, passive banner information. → feeds §11 Technical & Infrastructure Footprint.

Domain & WHOIS Exposure

Tool hints: whois, viewdns.info, dnsdumpster, SecurityTrails (passive/public tier), crt.sh for certificate transparency.

  • [domain / subdomain]
    • WHOIS registrant exposure (name / email / address visible):
    • Registrar:
    • Registration / expiry dates:
    • DNS records of note (MX / SPF / TXT revealing hosting):
    • Historical registrant data change:
    • Notes / tool output:
  • [domain 2]

IP / Hosting Exposure

Tool hints: Shodan (passive/public layer), Censys public, GreyNoise public - passive enumeration only.

  • [IP / hostname]
    • Associated service / banner:
    • Geolocation:
    • Linked to principal via:
    • Risk:
    • Notes / tool output:

Certificate Transparency

Tool hints: crt.sh, censys.io certificate search.

  • [certificate / SAN entry]:
    • Issued to / common name:
    • Issuer:
    • Date range:

Email Infrastructure (MX / SPF leakage)

  • [email infrastructure finding]:
    • What it exposes:

07 · Attack Surface & Vulnerabilities

How enumerated exposures combine into exploitable attack surface: physical-nexus enablement, social-engineering pre-text material, account-recovery vectors, and identity-aggregation risk. → feeds §13 Exposure-to-Harm Pathways, §14 Exposure Severity Register, §16 Red Flag Indicators.

Physical-Nexus Exposure Items

→ feeds §12 Physical-Nexus Exposure. Items that enable physical targeting or approach.

  • [physical-nexus item - e.g. home address in data broker + property record]
    • Source class:
    • What it enables (targeting value): [e.g., home approach / vehicle identification / routine prediction]
    • Severity: [Critical / High / Elevated / Moderate / Low]
    • Mitigation lane: [suppression / address-shielding / behavioral]
    • Notes:
  • [physical-nexus item 2]

Harm Pathway - Doxxing

  • Enabling exposures (cross-ref § and item):
  • Adversary capability assumed:
  • Disrupting remediation:

Harm Pathway - Social Engineering / Pretext

  • Enabling exposures:
  • Adversary capability assumed:
  • Disrupting remediation:

Harm Pathway - Account Takeover (ATO)

  • Enabling exposures (credential breach + recovery vector):
  • Adversary capability assumed:
  • Disrupting remediation:

Harm Pathway - Physical Approach / Surveillance

  • Enabling exposures (geotag / real-time leakage / pattern-of-life):
  • Adversary capability assumed:
  • Disrupting remediation:

Exposure Severity Register (working)

Populate here during collection; migrate to §14 register in the deliverable.

  • [E-1 - exposure item]
    • Likelihood (exploitability, 1–5):
    • Impact (harm if used, 1–5):
    • Inherent score (L×I):
    • Band: [Critical 21–25 / High 16–20 / Elevated 11–15 / Moderate 6–10 / Low 1–5]
    • Remediation:
    • Residual score:
  • [E-2]

08 · Attribution & Threat Actors

Who may be targeting or monitoring the principal, and what their likely capability and intent are. Attribution here is adversary-side context for weighting harm-pathway likelihood. Full adversary investigation is deferred to OSINT-004 / OSINT-051. → feeds §3 Key Judgments (KJ likelihood column), §13 Harm Pathways, §17 ACH, §18 KAC.

Known or Suspected Threat Context

  • Threat category: [e.g., stalker / domestic / criminal / corporate adversary / activist / state]
  • Known prior incidents:
  • Online chatter / threat signals observed:
  • Source grade:

Adversary Capability Assessment (for pathway weighting)

  • Technical capability assumed: [Sophisticated / Moderate / Low]
  • OSINT capability assumed:
  • Basis for assessment:

ACH Working Notes

→ feeds §17 Analysis of Competing Hypotheses.

  • H1 (working hypothesis on exploitability):
  • H2 (alternative):
  • Most diagnostic evidence collected:
  • Evidence inconsistent with primary hypothesis:

Key Assumptions (for KAC)

→ feeds §18 Key Assumptions Check.

  • [assumption - e.g. selector enumeration is complete]
    • Basis:
    • Confidence:
    • Impact if wrong:
  • [assumption 2]

99 · Collection Admin

Working register - audit trail behind the deliverable. Not a deliverable section itself.

Source Register

Every material datum traceable to a graded source. Admiralty two-axis code: Reliability A–F / Credibility 1–6.

  • [S-1 - source / item]
    • Type: [Primary / Secondary / Tertiary]
    • Reliability (A–F):
    • Credibility (1–6):
    • Date accessed:
    • Notes:
  • [S-2]

Evidence Archive

Captures support §15 Verified Findings and Appendix D chain-of-custody pointer.

  • [screenshot / archive ref - URL + timestamp + hash]:
    • Capture method:
    • Stored at:

Broker-Removal Register

Tracks opt-out / suppression actions. → feeds §9 and Appendix E.

  • [broker / aggregator]
    • Fields exposed:
    • Opt-out method:
    • Date submitted:
    • Date confirmed removed:
    • Re-appearance check due:

Open Gaps / RFIs

→ feeds §19 Collection Gaps & RFIs in the deliverable.

  • [unresolved selector or platform - impact on assessment - recommended lawful collection - priority]
  • [suspected but unconfirmed broker listing]
  • [platform inaccessible via lawful open means]

Remediation Tracker (pre-report)

Seed for §20 Remediation Plan. Tracks items identified during collection for analyst review before finalizing.

  • [remediation item]
    • Lane: [suppress / harden / behavioral]
    • Owner:
    • Priority: [Critical / High / Elevated / Moderate / Low]
    • Dependency / sequencing:
    • Status: [Open / In Progress / Complete]