| created | updated |
|---|---|
2024-07-22T17:29 |
2024-07-22T18:55 |
The following page contains templates to create structured and interlinked pages for an open source intelligence (OSINT) investigation in Obsidian.
Sample Obsidian Graph
One of the main features of Obsidian is its graphical capabilities. The graph below shows an investigation in-the-making using the templates of this repository.
The Graph is a powerful tool because it lets us escape hierarchical file organization. Hierarchy always limits the flow of ideas. By connecting our notes in a principled manner, we can mitigate ontological biases. The graph focuses knowledge from category onto relations, thereby overcoming some of the limitations of linear note-taking.
The current ontology contains entities of the following types:
| Entity | Type | Parent / Child / Both | Standard Name | Example |
|---|---|---|---|---|
| Account | Possession (Actant if owner is unattributed) | Child | [username]_[platform] | potus_Facebook, username_Instagram |
| Asset | Possession | Child | [Parent]_[Asset] | house_JohnAdams, office_JoeBiden, car, phone |
| Crypto Wallet | Possession | Both | [Parent]_[CryptoWallet]-[num] | |
| Domain | Possession | Both | web address without protocol or port specification | www[.]example[.]com |
| Event | Context | Parent | [yyyy.mm.dd.hh.mm.ss]-[location]-[event] | 1979-Iran-IslamicRevolution, 1956.10-Budapest-Revolution, 1956-Suez-War |
| Host IP Address | Possession | Both | a legit IPv4 or IPv6 address or address range | 8[.]8[.]8[.]8, 192.168.0.0/18 |
| Indicator | Possession | Child to TTP or Event, Parent to Event | STIX v2.1+conventions | file is_part_of Poison_Ivy malware |
| Intellectual Property | Possession | Child | [article/book/etc. title] | Obsidian OSINT Templates |
| Organization | Actant | Both | an unambiguous name; Org-[alphanum] if unknown | CIA, Nestle, UNICEF, Org-1 |
| Person | Actant | Both | an unambiguous name; [FirstSecondLast]-[IDno] if multiple; [Organization]_[Role] or Person-[alphanum] if unknown | Joe Biden, CEO_EvilCorp, Person-1, TimWolf-22 |
| Phone Number | Possession | Both | +[country-code]-[dialer]-000-0000 | +44-60-000-1234 |
| TTP | Possession | Both (Child restricted to Weapon System) | performance statement: verb + object | identify assets, weaponize software |
| Weapon System | Possession | Both (Parent restricted to TTP) | name or standard identifier | AK-47, Predator Drone |
Each entity has at least one of the following properties:
| Property | Definition | Link / Shadow Entity | Illegitimate Relations |
|---|---|---|---|
| Location | An attribute that definitely and unambiguously locates an entity in physical space. Cannot be in logical space, e.g. a specific folder on a digital machine. | Y | Online Account, Domain, Crypto Wallet |
| Date-Time | An attribute that definitely and unambiguously locates an entity in a common reference framework of time across the investigation. | N | None |
| Tag | Each entity has a unique tag with no ontological function but to help with Obsidian formatting. | N | None |
| Aliases | Common names used to refer to the entity that are not in its title. | N | None |
Notice that the Location property can be linked to entities, meaning, you may see location tags as “shadow” entities in the Obsidian Graph. Despite this, they are NOT treated as entities in the present ontology.
In contrast, Date-Time cannot be linked as a shadow entity. Instead, Date-Time may be part of the name of an Event. If you decide to create a linked page for a Date-Time property (which may be legitimate when you decide to investigate the given time-based clue later), make sure to transform the property to an Event later.
Tags always mirror a single given entity name. They serve to color the Graph. If and when an entity page has mutliple tags, only one tag should be colored on the Graph. Properties should not have tags, except for Location.
Additional metadata on each page includes the creation and last edited date-times of the page.
- Save the files of this repository.
- Open an Obsidian Vault with the files in it.
- Click the Settings icon > Community Plugins > Browse > Install & Enable Templater by SilentVoid
- Click Options
- Set "Template folder location" to "/Templates"
- Choose "Trigger Templater on new file creation"
- Install and configure optional plugins
Start an investigation in a clean Obsidian Vault.
Use any template that you need for a given entity. For present purposes, let's say we start off the investigation with a website.
- The first entity thus will be a domain. Open a new note and use the Domain template.
- Fill in the information in the Domain template wherever you can.
- Create links by appending phrases with double squared brackets
[[…]]to new pages. Legitimate links lead to one of the ten entities defined above, or to external resources referenced with(…)[…]. - Open the new pages you created as children of the domain and take notes in their respective templates.
For instance, if we found that the website belongs to a certain Company A, we create a link as in [[Company A]] and copy the Organization template to that page.
We repeat this process as many times as needed.
For those who are new to Obsidian, the following resources may be helpful to consult:
- https://www.youtube.com/live/sKF37Ng4gaI?si=tDe-1eS4IFhxRws6
- https://youtu.be/eLqQo38wC2Q?si=2VmPX95tHUd5nre4
- https://medium.com/@farallon/uncommon-osint-obsidian-semantic-meaning-and-nlp-3339e1e51d70
- https://www.linkedin.com/pulse/unlocking-power-osint-my-workflow-effective-scott-altiparmak-3bs4e
- https://publication.osintambition.org/unlock-the-power-of-obsidian-for-osint-and-blockchain-intelligence-analysis-a69e526e2638
- https://github.com/WebBreacher/obsidian-osint-templates
- https://github.com/malleVF/Threat-Research-with-Obsidian-for-SOC-Analysts
-
Use the templates to pivot from one clue to another, all the while keeping track of still missing information.
-
Create tasks across notes to remember where to follow up later on.
-
In the Graph View, exclude paths other than the current investigation.
-
You can create a folder structure for your investigations and organize the files in them. My system looks like this:
. |__ Investigations |__Case-1 |__Case-2 |__General Recon |__Organizations |__People |__Digital Accounts |__Assets |__Intellectual Property |__Locations |__Technical Recon |__Domains |__Hosts |__Phones |__Emails
-
Use the Replace functionality to bulk rename a list of targets you copied from an aggregator site. For example, a domain may have many sub-domains, each of which you want to link and visualize in your Graph after having copied or imported them from a tool.
-
There are two approaches to being consistent in your workflow:
- either follow through all the leaves of a branch in the graph;
- or record all pivot points in the graph as you go through sources and tools and return to empty leaves later.
The first method is more likely to be exhaustive, may show clearer links, can help better pivotting. At the same time, this method takes considerably more time and may easily lead to unproductive black holes.
The second method is more intuitive and relies more on the capabilities of sources and tools. It may easily mislead you if you trust the wrong information, fail to avoid tunnel vision or recognize pivots due to an overreliance on existing sources and tools.
You keep track of empty or incomplete notes with obsidian-incomplete-files, or even prioritize specific strings or blocks with obsidian-prio-plugin.
- Templater makes it possible to create and use templates in your workspace. Make sure to set the template path to the folder where this repo is located on your machine.
- Auto Template Trigger adds a tiny twist to the game, enabling you to escape the command palette and import a template to a new note or directory automatically.
- Update Time on Edit displays creation and last edit date-times on your notes; essential for keeping track of your investigation.
- Omnisearch enables you to search for strings across your vault.
- Pandoc
- Quite Outline adds a searchable table of contents for each page. Useful for quick navigation. Alternatively, you can use Create Note List which does the same but with bullet points.
- Hierarchical-outgoing-links will display all outgoing internal links in your current page categorized by the links’ tags. Given that the template structure of this repo follow a similar logic, this could help you easily find links (leaves in a branch) to specific types of entities.
- Advanced Tables: create and edit markdown tables easily.
- Relative Line Numbers: adds relative line numbers that helps with navigating a multiline page.
- Tag-wrangler: easier renaming, searching and management of tags.
- Obsidian-db: Obsidian Plugin to Allow Notion like database based on folders
- Text Generator
- Editing Toolbar: display editing options in a toolbar.
- Code Block: add advanced code blocks to a page.
- Linter enables you to assign formatting rules to actions, making your workflow more productive and efficient.
- Safe Filename Linter if you want to create or import filenames that are invalid in vernacular Obsidian.
- Cryptsidian encrypts your vault locally; can be used for secure file transfer or cloud sync.
- Obsidian Hash provides a hash to each page, so that you can check the integrity of files or share data with trust and confidence.
- Garble Text makes all text and media files in your Obsidian workspace inreadable. Useful for sharing screenshots with team members or clients when you want to point only to selected information.
- GPG Inline Encrypt encrypts pages or selected strings (!) in your obsidian note. You can use it to share intelligence based on more inclusive need-to-share principles.
- Use Obsidian-Git with obsidian-version-history-diff to see a detailed version history of your investigation. This is essential if you prepare a report for dissemination at legal or forensic authorities. Privacy considerations should be made before deploying these tools!
- The previous tools can be combined with Activity History to provide Github activity-like visualization for your history.
- For completed tasks, you can create a time-based tree-like archive with Task Archiver.
- Link Archive submits every internet-facing URL in the current page to WaybackMachine, automatically archiving your links. Be considerate, mission INFOSEC or ethical considerations regarding amplification may be contrary to this practice.
- Incomplete Files is a great plugin to automatically mark pages that are empty or incomplete.
- With Adjacency Matrix Maker you can see the relations between your notes in a matrix format. This may be helpful when looking for pivot points in the Graph yields no results due to its visual complexity. The Matrix view could be implemented into cryptocurrency and blockchain investigations, where addresses and hashes obfuscate a lot on the Graph.
- Once you ended your investigation, you may try to aim for a last pivot with Graph Analysis. Analyzing your notes, this plugin uses various algorithms to identify or predict relations between entities. Relations you may have not noticed yourself.
- If you take notes in multiple languages or work on a multilingual investigation, a great tool to auto-translate note-titles is Obsidian Multilingual.
- CSV Table will help you import csv datasets to Obsidian. JSON Table does the same for JSON files. Useful when you download or copy table formatted data en masse.
- Obsidian Mermaid is a plugin that makes it easier to create Mermaid flow-charts without memorizing all the code.
- Leaflet is a cool plugin if you want to save geolocation data in your notes and visualize them on interactive maps. Could be especially useful to recognize spatial relations (Location tags!) between targets.
- Bulk Rename is a simple tool to bulk rename your page titles with regex patterns and update all links accordingly.
- Obsidian Cron enables you to attach Obsidian commands to cron jobs, i.e. schedule commands to execute automatically in specific intervals.
- Run your own python scripts from Obsidian with Python Scripter. Could be useful to feed the results of certain collection tools, like Sherlock or Maigret, right into your notes.
- You could use Regex Pipeline to auto-format text from bulk input with regex parameters, e.g. when importing online accounts from multiple username enumeration tools that use different output formatting.
- Smart2Brain is an AI chatbot that can be run locally to query your Obsidian notes; although not tested, it could be useful for various analytic tasks when pivotting.
- No Dupe Leaves is useful to avoid duplicate open tabs, but has some functionality caveats.
- Tag Summary can collect in one space all lines where a tag (#likethis) is present across your notes. Useful for creating summaries by specific types of entities on top of your notes, in your final report or just for a general orientation of properties across your entities.
- Hunchly ‐ import the results of the Hunchly web capture tool into Obsidian.
- If you do persistent monitoring using RSS feeds, you can use the following plugin to follow and copy RSS feeds to your Obsidian vault: RSS. Addig AI-enabled auto-tagging or linking could enable you to auto-create dynamic graphs that display relations between global news and events.
- When creating Event type entities in your investigation's vault, the ability to see and edit a list of chronological events (each a separate page) is a great enhancer of productivity. With the Daily Notes Editor tool you can do just that!
- The Keyword Highlighter tool highlights keywords across your vault, marking important phrases, like the target's name, an ID or hash, with clear visibility.
See more at https://github.com/ieshreya/Obsidian-Cheat-Sheet
Ctrl + Popen command paletteCtrl + Gopen graph viewCtrl + Ncreate new noteCtrl + Osee recent files & open fileCtrl + Shift + Fsearch in all filesAlt + Einsert template
-
Internal Links:
[[note name]]to create internal links to other notes. -
External Links: Use
[Text](URL)to create external links. -
Bullet Points: Use
-,*, or1. -
Headings: Use
#(e.g., # Heading 1, ## Heading 2). -
Code Blocks: Wrap text in triple backticks
(```). -
Embeds: Use
![[note name]]to embed another note in your current note. -
Callout:
>to create text in callout.> [!title] > Here's a callout block. > It supports **Markdown**, [[Internal link|Wikilinks]], and [[Embed files|embeds]]! > ![[Engelbart.jpg]] -
Divider:
---to create horizontal divider line. -
Tables:
First name | Last name -- | -- Max | Planck Marie | Curie
Filters:
- Search filters: set
path:Investigationsif your files are in the Investigations directory. - Unselect: tags, attachments, existing files only.
- Select: orphans.
Groups: set different colors for each
- tag:#domain
- tag:#IP
- tag:#company
- tag:#team
- tag:#person
- tag:#account
- tag:#email
- tag:#phone
- tag:#TTP
- tag:#weapon
- tag:#intel_prop
Display:
- Arrows toggles whether to show the direction of each link.
- Text fade threshold controls the text transparency for the name of each note.
- Node size controls the size of the circle representing each note.
- Link thickness controls the line width for each link.
- Animate starts a time-lapse animation.
Forces:
- Center force controls how compact the graph is. A higher value creates a more circular graph.
- Repel force controls how much a node pushes other nodes away from it.
- Link force controls the pull on each link. If the link was a rubber band, the link force controls how tight or loose the band is.
- Link distance controls the length of the lines between each note.
These templates are free to use and distribute. Please credit the creator if distributed.