OSINT Investigation Guides
Practical guides for IP evidence, email analysis, image forensics, username enumeration, and timestamp decoding.
IP Evidence Guides
A framework for using IP address evidence responsibly — accuracy, context, and defensibility.
IP Addresses Identify Networks, Not Individuals
The critical distinction for responsible interpretation.
Why IP Address Location Is Often Wrong
Understanding the limitations of IP geolocation data.
Why IP Address Evidence Must Be Time-Bound
Why timing matters for IP evidence accuracy.
What Makes an IP Lookup Report Court-Ready
Preservation requirements for defensible evidence.
Interpreting VPN, Proxy, and Tor IP Evidence
How anonymization affects IP evidence interpretation.
Why Ad-Supported IP Lookup Tools Are Risky
How ads and tracking undermine evidence quality.
How to Corroborate IP Evidence in OSINT Investigations
Validating IP data with multiple independent sources.
How IP Evidence Is Used in Court
How courts view and evaluate IP address evidence.
OSINT Tool Guides
Step-by-step guides for email header analysis, image forensics, username enumeration, and timestamp decoding.
How to Detect a Spoofed Email — Step by Step
Analyze email headers to identify spoofing indicators.
What Is EXIF Data and Why It Matters for Investigations
Extract GPS, timestamps, and device info from image metadata.
How to Find Someone's Online Accounts by Username
Map online presence across platforms using username enumeration.
Timestamp Forensics: How Hidden Timestamps Reveal Online Activity
Decode hidden timestamps in URLs, platform IDs, and metadata.
How DNS Records Reveal Website Infrastructure
Use DNS data to map hosting, email providers, CDN usage, and security posture.
Why a Domain's IP Might Not Show Where It's Hosted
Understanding layered infrastructure — CDNs, reverse proxies, and partial migrations.
Why Different DNS Tools Show Different IPs
DNS load balancing and anycast routing — why varying results are expected, not errors.
Free OSINT Tools
Every guide pairs with a free tool. Each runs in your browser with a free Forensic OSINT account.
IP Lookup
Geolocation, ISP, VPN/proxy detection, and digitally signed PDF reports with timestamped results for court-ready evidence.
Look up an IP address →Email Header Analyzer
Paste raw headers or drop an .eml file to visualize routing paths, SPF/DKIM/DMARC results, and extracted IP addresses.
Analyze email headers →Image Metadata Analyzer
Drop any image to extract EXIF data including GPS coordinates, timestamps, camera details, and all embedded metadata.
Analyze image metadata →Username Search
Search over 500 platforms at once to map a person's online presence across social media, forums, and communities.
Search a username →Timestamp Decoder
Paste a URL, source code, or raw value to find and interpret hidden timestamps in over a dozen formats.
Decode timestamps →Domain to IP Lookup
Resolve DNS records, detect CDN providers, identify email infrastructure, and parse SPF/DMARC policies for any domain.
Look up a domain →Frequently Asked Questions
Anyone who works with IP address data in an investigative context — OSINT analysts, fraud investigators, legal professionals, law enforcement, and IT security teams. The guides assume basic familiarity with IP addresses but explain the nuances that trip people up in practice.
No. Each guide is self-contained. That said, starting with "IP Addresses Identify Networks, Not Individuals" gives you the conceptual foundation that the other guides build on. The investigation phases section on this page suggests a logical reading order if you want one.
It depends on the type of connection. Residential broadband IPs usually resolve to the correct city or metro area. Mobile IPs can be off by hundreds of miles. VPN and proxy IPs tell you where the server is, not where the person is. The "Why IP Address Location Is Often Wrong" guide covers the specific failure modes.
Not on its own. An IP address identifies a network connection, which could be shared by a household, an office, a coffee shop, or a mobile carrier tower serving thousands of people. Identifying a person requires additional evidence and, in most cases, legal process through the ISP.
Documented methodology, timestamped results, digital signatures proving the report has not been altered, and clear sourcing. Screenshots from ad-supported websites generally do not meet this bar. The "What Makes an IP Lookup Report Court-Ready" guide walks through the specific requirements.
They mask the user's actual IP address. When someone uses a VPN, the IP you see belongs to the VPN provider's server, not the person. Detecting this is important because it prevents you from drawing wrong conclusions about physical location. The IP Lookup tool flags known VPN, proxy, and Tor exit nodes automatically.
IP addresses get reassigned. The IP that belonged to one subscriber yesterday might belong to someone else today. If you run a lookup weeks after the activity you are investigating, the results may no longer match. Capture and preserve IP data as close to the time of the observed activity as possible.
The IP Lookup tool generates signed PDF reports, the Timestamp Decoder helps with timeline reconstruction, the Email Header Analyzer traces email routing paths and extracts IPs, and the Username Search maps online presence across 500+ platforms. All of them are free and run in your browser.
Yes. IP allocation practices, court standards, and geolocation accuracy all shift over time. The guides are reviewed and updated to reflect current practices. If you notice something outdated, contact us and we will address it.
Yes. The guides are designed as reference material for OSINT training programs, university courses, and internal team onboarding. If you need them in a different format for classroom use, get in touch.
Start Your Investigation
Free OSINT tools for IP lookup, email analysis, image forensics, username search, and timestamp decoding.
