An OSINT workstation is not about how many tools you have installed. It is about discipline — keeping investigations compartmented, not contaminating sock-puppet accounts with your personal cookies, and producing evidence a lawyer or a threat-intel lead can actually use. Here is the setup I run.
The Base
A laptop dedicated to OSINT. Not your work machine. Not your personal daily driver. A ThinkPad T14 with 32 GB RAM running Ubuntu 24.04 LTS is overkill and underpriced at around $600 refurbished. Full-disk encryption with LUKS at install time. No single-sign-on to any of your real identities on this machine. Ever.
If you cannot dedicate hardware, do it in a Qubes 4.2 AppVM or a Whonix Workstation — both give you real compartmentalization. Just do not do OSINT from the same browser profile you check your Gmail from.
Compartmentalized Browsers
Firefox with the Multi-Account Containers extension. One container per investigation. Each container has its own cookies, localStorage, and — with the Containerise addon — an optional proxy rule that forces that container through a specific exit node.
Containers I keep permanent:
- Recon-Clean: No logins, cache disabled, used for first looks at unknown domains.
- Sock-A, Sock-B, Sock-C: Three persistent fake-persona accounts on major platforms. Each with its own Protonmail, its own phone number from MySudo, and a consistent browser fingerprint.
- Case-NNNN: A disposable container spun up per case and nuked when the case closes.
Never cross-log sock-A into the case-NNNN container. That is how investigations get burned.
The VPN Stack
Two layers. ProtonVPN or Mullvad on the host (WireGuard, paid in cash or Monero if you are serious). A second VPN inside a specific container for sensitive recon — I use IVPN's multi-hop feature. For anything truly sensitive, bump to Whonix + Tor.
Rule of thumb: the target should never see an IP that ties back to a residential or corporate range you care about. Verify with ipleak.net inside each container before the session starts.
The Tools
- Maltego CE (free tier): Graph-based pivoting. 12 entities per transform is limiting but fine for small cases. The Community transforms plus a free CaseFile license covers a surprising amount.
- SpiderFoot HX or the free SpiderFoot OSS: Automated enumeration against a target. I run it inside a Docker container bound to the case's VPN interface. The free version with API keys for Shodan, Censys, HIBP, and SecurityTrails (all have free tiers) is powerful.
- theHarvester: Email and subdomain enumeration. Still essential.
- Sherlock: Username pivot across social platforms. False positives happen; verify manually.
- yt-dlp and gallery-dl: For archiving media from social platforms while you still can.
- Obsidian: The case notebook. One vault per case, timestamped Markdown notes, inline screenshots. Git-encrypt the vault with git-crypt for longer-lived cases.
Screenshot Hygiene
A screenshot that is not time-stamped, URL-bar-visible, and hash-committed is not evidence. It is a JPEG.
My standard: Firefox extension "FireShot" set to capture the entire page including the URL bar. Save as PDF/A for archival. Immediately hash:
sha256sum case-0042/screenshots/*.pdf >> case-0042/manifest.txt
git add case-0042/ && git commit -m "capture: target profile 2026-02-22T14:03Z"The git commit timestamp plus the content hash gives you a chain of custody that holds up. For high-stakes work, timestamp the manifest with an RFC 3161 trusted timestamping service — opentimestamps.org is free and uses Bitcoin as its anchor.
Case File Workflow
Every case goes in the same directory structure:
case-NNNN-shortname/
00-brief.md # what was asked, by whom, scope
01-targets.md # seed selectors (email, domain, handle)
02-timeline.md # investigation log, chronological
03-findings.md # confirmed facts with citations
screenshots/
exports/ # Maltego .mtgx, SpiderFoot .csv
manifest.txt # hashes of every artifact
README.md # cover sheet for handoverWhen the case closes, zip, encrypt with a per-case key, and store offline. Destroy the working copy. Keep only the encrypted archive and the key in your password manager.
What Not to Do
- Do not log into any real account from the OSINT browser. Even once.
- Do not reuse sock puppet identities across cases.
- Do not skip the VPN "just to check one thing."
- Do not store case files on Dropbox, iCloud, or Google Drive unencrypted.
The workstation is 20% of the job. The discipline of using it correctly every single time is the other 80. Build it once, document your procedure, and follow it even when the target "is probably nobody." That is the case where sloppiness bites.