Difficulty: 📕 Advanced (comprehensive reference case) Best For: Understanding complete investigation structure Time to Review: 2-3 hours
- 📋 [[00-Case-Overview|Case Overview & Summary]]
- 👤 [[01-Subject-Profiles|Subject Profiles & Dossiers]]
- 📊 [[02-Collection-Log|Evidence Collection Log]]
- 📁 Evidence Files:
03-Evidence/ - 📄 Reports:
04-Reports/ - 🗂️ Admin:
05-Admin/
Case Number: 2025-001 Status: 🟢 Active (Example) Type: Social Media Fraud / Cryptocurrency Scam Priority: Medium Estimated Loss: $75,000-$150,000 USD
Threat Actor: "Alex Morgan" (pseudonym)
- Twitter: @crypto_scammer_example
- Telegram: @crypto_alex_official
- Instagram: @crypto.alex.trades (suspended)
Key Findings:
- Impersonation of verified crypto influencer
- Phishing website (crypto-presale-exclusive[.]com) - now taken down
- 50+ victims identified
- Funds laundered through Tornado Cash mixer
2025-001-Example-Investigation/
│
├── 00-Case-Overview.md ← Start here
├── 01-Subject-Profiles.md ← Threat actor details
├── 02-Collection-Log.md ← Evidence tracking
├── README.md ← This file
│
├── 03-Evidence/ ← All collected evidence
│ ├── screenshots/
│ │ ├── twitter/
│ │ ├── instagram/
│ │ └── telegram/
│ ├── domains/
│ │ ├── whois-crypto-presale.txt
│ │ └── dns-history.json
│ ├── social-media/
│ │ └── instagram-archive.html
│ ├── blockchain/
│ │ ├── wallet-txlist.json
│ │ └── tx-graph.png
│ ├── victim-reports/
│ │ ├── victim-001-dm.png
│ │ └── interviews/
│ └── network/
│ └── passive-dns.json
│
├── 04-Reports/ ← Investigation reports
│ ├── final-report.md (pending)
│ ├── executive-summary.pdf (pending)
│ └── evidence-package.zip (pending)
│
└── 05-Admin/ ← Case administration
├── engagement-letter.pdf
├── evidence-hashes.txt
├── chain-of-custody.pdf
└── case-notes.md
This dummy case demonstrates:
- Proper case file structure for OSINT investigations
- Evidence collection and documentation best practices
- Subject profiling techniques for social media threat actors
- Timeline reconstruction from digital evidence
- Legal and ethical considerations throughout investigation
You can use this case as a template for real investigations:
- Copy the directory structure
- Replace dummy data with real evidence
- Follow the same documentation format
- Maintain chain of custody and hashing procedures
- Reference appropriate SOPs from the vault
This example case demonstrates the application of these SOPs:
Legal & Ethics:
- [[../../Investigations/Techniques/sop-legal-ethics|Legal & Ethics SOP]] - Authorization, data protection
- [[../../Investigations/Techniques/sop-sensitive-crime-intake-escalation|Sensitive Crime Escalation]] - Law enforcement referral
Operational Security:
- [[../../Investigations/Techniques/sop-opsec-plan|OPSEC Planning]] - Investigator protection
Platform-Specific:
- [[../../Investigations/Platforms/sop-platform-twitter-x|Twitter/X OSINT]] - Social media analysis
- [[../../Investigations/Platforms/sop-platform-telegram|Telegram OSINT]] - Messaging platform investigation
Technical Analysis:
- [[../../Investigations/Techniques/sop-web-dns-whois-osint|Web, DNS & WHOIS]] - Domain/infrastructure analysis
- [[../../Investigations/Techniques/sop-financial-aml-osint|Financial & AML]] - Cryptocurrency tracking
- [[../../Investigations/Techniques/sop-image-video-osint|Image & Video OSINT]] - Profile picture analysis
Documentation:
- [[../../Investigations/Techniques/sop-collection-log|Collection Logging]] - Evidence tracking
- [[../../Investigations/Techniques/sop-entity-dossier|Entity Dossier Building]] - Subject profiling
- [[../../Investigations/Techniques/sop-reporting-packaging-disclosure|Reporting & Disclosure]] - Final report preparation
| Date | Milestone |
|---|---|
| 2024-11-28 | Fake Twitter account created |
| 2024-12-15 | Phishing domain registered |
| 2024-12-20 | First victim deposits funds |
| 2025-01-10 | Investigation initiated |
| 2025-01-12 | Instagram account suspended |
| 2025-01-13 | Phishing domain taken down |
| 2025-01-15 | Case file created |
- 3 social media accounts across Twitter, Instagram, Telegram
- 1 phishing domain (now suspended)
- 52 blockchain transactions totaling 87.3 ETH
- 15 victim statements with supporting evidence
- Timezone: UTC+3 (Eastern Europe suspected)
- Language: Non-native English speaker
- Infrastructure: Tor, ProtonMail, Cloudflare (anonymity-focused)
- Technical skill: Medium (can clone websites, use privacy tools)
- Victim count: 50+ identified
- Total stolen: ~$150,000 USD equivalent
- Recovery potential: Low (funds laundered through mixer)
- Complete victim interviews (5 pending)
- Prepare evidence package for law enforcement
- File IC3 report (FBI Internet Crime Complaint Center)
- Coordinate with platforms for additional account takedowns
- Monitor for rebranding (suspect likely to create new personas)
After reviewing this case, you should understand:
✅ How to structure and organize an OSINT investigation ✅ Proper evidence collection and documentation procedures ✅ Building comprehensive subject profiles from public data ✅ Blockchain analysis for cryptocurrency fraud investigations ✅ Legal and ethical boundaries in OSINT work ✅ Timeline reconstruction from multiple data sources ✅ Preparing evidence for law enforcement handoff
This is a fictional case created for training purposes.
- All names, handles, addresses, and transaction hashes are invented
- The threat actor "Alex Morgan" does not exist
- No real individuals were harmed or defrauded
- Domain names and IP addresses are examples only
- Any resemblance to real persons or cases is coincidental
Do not attempt to contact or investigate any entities mentioned in this case.
This example case is part of the OSINT & Security Reference Library.
For more information:
- Return to [[../../README|Main Index]]
Case Created: 2025-01-15 Last Updated: 2025-01-15 Status: 📚 Training Material Classification: UNCLASSIFIED / EXAMPLE