Analysis
Corroborate findings, model alternative explanations, and test each claim against the evidence that would disprove it.
Analysis is the phase that separates an investigator from a collector. Anyone with patience can pile up documents. Analysis is what turns the pile into a finding — or, more often and more usefully, into a specific admission of what the evidence cannot yet support.
The phase has three jobs: corroborate each claim across independent sources, structure the relationships between entities and events so they can be reasoned about, and deliberately attack your own hypothesis with the evidence that would falsify it.
Corroboration, not accumulation
One source is a lead. Two independent sources pointing at the same fact is a finding. Three is a finding you can cite with confidence. The word doing the work here is independent. Two news articles citing the same press release are one source. Two tweets quoting the same original tweet are one source. Independence is not multiplicity; it is the absence of a common upstream.
In practice, trace every claim you intend to publish back to its primary source. If you cannot reach a primary source, mark the claim as derivative in your notes and downgrade its evidentiary weight. If two paths to the same claim turn out to collapse into one, downgrade accordingly. Most of the errors in circulated OSINT analysis come from treating dependent corroboration as independent.
Triangulation across source classes
Stronger still than two independent sources of the same class is triangulation across classes. A corporate filing, a press mention, and a domain registration that all place the same person at the same company at the same time tell a coherent story in a way that three press mentions do not. Where possible, build each finding from at least two different classes of evidence: primary government record, secondary reporting, technical artefact, first-party statement.
Structuring the evidence
Unstructured notes do not scale past a handful of entities. Invest in a minimal structure early:
- An entity list — every person, organisation, address, domain, account, vessel, or account number you have seen. Each entity gets an identifier that is stable across your notes.
- A relationship log — directed links between entities, each one backed by one or more evidence identifiers from the collection log.
- A timeline — dated events, with source references, allowing you to spot sequence and gaps.
For link-heavy investigations, a dedicated tool like Maltego or a graph database is worth the setup cost. For most investigations, a three-tab spreadsheet is plenty. The discipline matters more than the tooling; fancy software applied to sloppy structure produces confident-looking nonsense.
Testing alternatives
The analytic step most beginners omit is the adversarial one. For every finding, ask: what alternative explanation could produce the same evidence, and what evidence would rule that alternative out?
A common trap: concluding that two social media accounts belong to the same person because they post similar content from the same city. Alternative explanations include shared interests, a shared workplace, a shared ghostwriter, or a deliberate attempt to create an appearance of connection. Ruling the alternatives out requires evidence that only one of the hypotheses predicts — a shared device fingerprint, overlapping private-but-leaked metadata, an admission.
Write the alternative explanations down. A finding that survives written alternatives is stronger than a finding that has only been mentally considered.
Timelines, patterns, and the limits of each
Timelines expose sequence. If a company was incorporated after an event it supposedly caused, that is not a subtle analytic point; it is a dispositive one. Build the timeline before the narrative. The narrative should fit the timeline, not the other way round.
Patterns — recurring names, addresses, phone numbers, wallet addresses — are seductive. They are also the most common vector for false positives. A pattern is a hypothesis, not a conclusion. Treat pattern matches as leads that require their own corroboration.
Metadata and technical analysis
Documents, images, and archives often carry metadata that survives casual handling. EXIF data in photos, author fields and edit histories in office documents, headers in emails, certificate chains on websites — each can corroborate or disprove a claim about origin. Extract metadata systematically; log what was present and what was absent; remember that the absence of metadata on a file that should have it is itself informative.
Be cautious with metadata as a primary source. It is trivial to alter, and sophisticated subjects will have. Use it as one strand among several, and never as a lone pillar of a published finding.
Common pitfalls
Narrative capture. You form a theory early, and from that point forward every new piece of evidence is read as confirmation. Mitigate by writing the adversarial alternatives before you review new evidence, not after.
Circular corroboration. Two sources pointing at the same fact because one sourced it from the other. The fix is to trace every citation to its origin.
Over-precision. Claiming a finding is established when the evidence supports only that it is plausible. The reporting phase rewards hedging honestly; analysis is where you decide how much to hedge.
Ignoring null findings. The absence of an expected record is often the most informative signal in the investigation. A company that claims twenty years of operation but appears in no registry until last month is telling you something specific.
Tools relevant to this phase
- Maltego for link analysis when the relationship graph grows past what a spreadsheet can hold.
- Metadata extraction for images and documents captured during collection.
- Reverse image search for provenance of visual evidence.
- The Subthesis legal document analysis tool for structured extraction of entities, claims, and citations across long documents.
- Timeline and entity-mapping templates from the resources library.
Deliverables checklist
By the end of analysis you should have:
- A consolidated entity list with stable identifiers.
- A relationship log, each edge backed by evidence references.
- A timeline covering the events relevant to the intelligence requirement.
- A written set of findings, each graded by evidentiary weight and each accompanied by the alternatives considered and ruled out.
- An explicit list of claims you cannot support — the gaps that the reporting phase must disclose rather than hide.
The output of analysis is not "the answer." It is the evidentiary case for each finding and the honest boundary of what the open sources will bear.
Previous phase: Collection. Next phase: Reporting.