Planning

Planning is the phase most beginners skip and most experienced investigators spend a third of their time on. The reason is simple: everything downstream either pays the debt of good planning or pays the interest on bad planning. An investigation without a clear question collects the wrong evidence. An investigation without a defined audience produces a report that nobody can act on. An investigation without ethical guardrails discovers them the hard way, in a takedown notice or a subpoena.

What planning actually produces

At the end of this phase you should be able to answer five questions in one sentence each:

1. What is the intelligence requirement? The specific question you are trying to answer, written so narrowly that somebody else could tell when you have answered it.
2. Who is the consumer? A judge, an editor, a compliance committee, a funder, a jury, the public — each has a different standard of proof and a different tolerance for hedging.
3. What counts as proof? Two independent sources? A single primary document? A pattern across a dataset? Decide now, not after you find something interesting.
4. What are the legal constraints? Jurisdiction of the subject, jurisdiction of the investigator, any platform terms of service that apply to your method of access.
5. What is out of scope? The questions you will deliberately not pursue — usually because they are legally risky, ethically disproportionate, or not your job.

If you cannot answer those five questions, you are not ready to collect. You are ready to plan.

Framing the intelligence requirement

Vague requirements generate vague investigations. "Find out who owns this company" is not a requirement; it is a wish. A real requirement looks like: "Identify the ultimate beneficial owners of Acme Holdings BV and any natural persons holding more than twenty-five percent of the equity, as recorded in public corporate registries as of a specified date, to support a KYC file."

The rewrite forces four decisions: the legal standard (UBO at twenty-five percent), the source class (public registries), the temporal bound (as of today), and the downstream use (KYC file). Each of those decisions shapes the collection plan.

Identifying sources before collecting

Before you open a browser, list the source classes that could plausibly answer your question. Not specific URLs — classes. For a corporate ownership question that might be: domestic company registry, beneficial ownership registry where one exists, court filings, regulatory disclosures, press coverage, social media of named officers, archived web content for old incarnations of the company's own site. Rank them by evidentiary weight: primary government records at the top, secondary reporting in the middle, social media at the bottom.

Rank them again by access friction. A registry that requires a paid subscription still counts; a leaked database of unknown provenance does not. The cheap-and-authoritative intersection is where you start.

Setting the standard of proof

A common beginner failure is treating all evidence as equal. It is not. A screenshot of a tweet is weaker than an archived copy of the tweet, which is weaker than the platform's own record retrieved via API, which may be weaker still than a court-authenticated export. Decide, at planning time, how much weight each tier carries for this specific question, and commit that to the investigation brief.

The same question also forces you to think about falsification. What would make you conclude the opposite of your hypothesis? If nothing could, you are not investigating — you are confirming.

Legal and ethical guardrails

The planning phase is where you document what you will not do. Common guardrails:

• No pretexting, no creation of false identities to access information, no social engineering of private accounts.
• No access to systems that require credentials you were not given, including accounts you find leaked in breach data.
• No targeting of minors, victims of crime, or protected classes beyond what the question strictly requires.
• Explicit consideration of the proportionality between harm risk and public interest.

Write these down. They are the first thing a defence lawyer, an ethics board, or a senior editor will ask about if the investigation is ever challenged.

Common pitfalls

Tool-led planning. Starting from "I know how to use Shodan, what can I do with it?" instead of "I have a question, is Shodan relevant?" This is how investigators waste a week and produce noise.

Question drift. The initial requirement was narrow; three pivots later the investigator is researching something nobody asked about. Pivots are fine — they are how investigations work — but they must be documented and re-scoped, not silently absorbed.

Confirmation framing. Writing the requirement in a way that presupposes the answer. "Find evidence that X owns Y" is not an intelligence requirement; it is a brief for a fabrication. "Determine whether X owns Y" is the investigable version.

Ignoring the adversary model. If your subject has reason to expect scrutiny, they have probably scrubbed the easy sources already. Plan accordingly — archives, caches, and metadata are more likely to survive than live pages.

Tools relevant to this phase

Planning is mostly paper work, but a few tools help. Intelligence-requirement templates and source-mapping worksheets live in the resources library. For background on the subject before collection proper, use the Wayback Machine tutorial to scope the historical footprint and WHOIS and DNS lookup to identify related infrastructure. These are reconnaissance, not collection — use them to shape the plan, then re-collect under the plan.

Deliverables checklist

By the end of planning you should have:

• A one-paragraph intelligence requirement.
• A named consumer and a defined standard of proof.
• A ranked list of source classes with expected evidentiary weight.
• A scoped-out list of questions you will not pursue.
• A written set of legal and ethical guardrails for this specific investigation.
• A target completion date, or the trigger condition that ends the investigation.

Carry this document into the next phase. If collection starts pulling against it, come back here — do not let the evidence quietly redefine the question.

Next phase: Collection.