salvacybersec/personas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
700122807d56de73dca5554051d9f764a5f148a8
personas/personas/_shared/community-skills/bellingcat-osint-toolkit/SKILL.md
salvacybersec 700122807d feat(bellingcat-osint-toolkit): add references/bellingcat-own-repos.md 
Comprehensive reference for the 46 active non-fork repos in the
github.com/bellingcat org — tools Bellingcat ships as code (vs the
external tools they curate, which the existing 12 category refs cover).

Sections:
- Power tools (auto-archiver, octosuite, telegram-phone-number-checker,
  snscrape, vk-url-scraper, whisperbox-transcribe, EDGAR) with install
  commands + key invocations
- Geolocation toolbox (ShadowFinder, instagram-location-search,
  osm-search, geoclustering, search-grid-generator, ColourHighlighter,
  rgb-viz)
- Satellite / Earth Engine (sar-interference-tracker, cloud-free-subregion,
  Multispectral Imagery Explorer, umbra-open-data-tracker, ee_forest_area_tracker)
- Social-media scrapers (TikTok, Reddit, YouTube, Odysee, GETTR, Facebook,
  cisticola coordinator)
- People search (name-variant-search, alias-generator)
- Telegram (phone-checker, group-joiner, gesara-entity-viz)
- Companies / finance (EDGAR, sugartrail)
- Aircraft tracking (adsb-history)
- Image triage (smart-image-sorter via HuggingFace)
- Web-history forensics (wayback-google-analytics, uniform-timezone)
- Conflict tracking (ukraine-timemap, iran-conflict-damage-proxy-map,
  vis-tj-kg-map-2022)
- Research methodologies (RS4OSINT, open-source-research-notebooks,
  open-questions, quitobaquito, twitter-geocode-searches)
- Council / government records (CouncilSearcher)
- Persona affinity quick-pivot table for all 13 personas

Each entry has stars, language, use case, persona affinity, and (where
useful) the exact install + first-use commands. SKILL.md updated to
reference the new file in the layout tree and "when to load" table.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-02 01:20:36 +03:00

13 KiB
Raw Blame History

name, description, license, compatibility, metadata
name description license compatibility metadata
bellingcat-osint-toolkit Curated index of Bellingcat's Online Investigation Toolkit (342 tools, 12 categories). Covers Maps & Satellites, Geolocation, Image/Video forensics (reverse search, facial recognition, EXIF), Social Media (FB/IG/Telegram/TikTok/Twitter-X/YouTube + cross-platform), People search, Websites & WHOIS, Companies & Finance (EDGAR, OpenCorporates, OpenSanctions, Aleph), Conflict (ACLED, LiveUAMap, OS munitions), Transport (flight + maritime + vehicle + rail), Environment & Wildlife, web Archiving, and Data Org/Analysis. Use to verify a photo/video, geolocate an image, identify a person, archive a webpage, sanction-screen a company, track a vessel/flight, monitor a conflict zone, or pick the right tool for any OSINT task. Triggers on "Bellingcat", "OSINT", "geolocate", "reverse image search", "verify photo", "satellite imagery", "WHOIS", "EDGAR", "shipping tracker", "person search", "open source intel", "kaynak araştırması". MIT claude-code, opencode
audience source upstream total_tools
investigators, journalists, intel-analysts, threat-hunters, researchers https://bellingcat.gitbook.io/toolkit https://github.com/bellingcat/toolkit 342

Bellingcat OSINT Toolkit — Working Reference

Curated by Bellingcat staff + volunteer experts. 342 tools across 12 categories. The full catalog lives in the references; this file is the launch pad for picking the right tool fast.

Authoritative source: https://bellingcat.gitbook.io/toolkit. CSV exports (nightly): https://github.com/bellingcat/toolkit/releases/tag/csv.

Layout

bellingcat-osint-toolkit/
├── SKILL.md                          (this file)
├── data/
│   └── all-tools.csv                 raw catalog (342 rows: Category,Name,URL,Description,Cost,Details)
├── scripts/
│   ├── refresh.sh                    pull fresh CSV from upstream nightly release
│   └── regenerate-references.py      rebuild references/*.md tables from CSV
└── references/
    ├── archiving.md                  8 tools  (curated externals)
    ├── companies-and-finance.md      26 tools (curated externals)
    ├── conflict.md                   6 tools  (curated externals)
    ├── data-org-and-analysis.md      11 tools (curated externals)
    ├── environment-and-wildlife.md   24 tools (curated externals)
    ├── geolocation.md                9 tools  (curated externals)
    ├── image-video.md                35 tools (curated externals)
    ├── maps-and-satellites.md        83 tools (curated externals)
    ├── people.md                     33 tools (curated externals)
    ├── social-media.md               63 tools (curated externals)
    ├── transport.md                  27 tools (curated externals)
    ├── websites.md                   17 tools (curated externals)
    └── bellingcat-own-repos.md       46 active repos Bellingcat ships
                                      (octosuite, auto-archiver, EDGAR,
                                       ShadowFinder, telegram-phone-checker,
                                       sar-interference-tracker, etc.)

For ad-hoc queries the agent can grep the CSV directly:

# Find every tool that mentions "facial"
grep -i facial data/all-tools.csv

# All free tools in Maps category
awk -F'","' '$1 ~ /Maps/ && $5 ~ /Free$/ {print $2, $3}' data/all-tools.csv

# Refresh + rebuild tables
bash scripts/refresh.sh && python3 scripts/regenerate-references.py

When to load which reference

Need Reference Tool count
Find a place on a map; high-res imagery; street-level references/maps-and-satellites.md 83
Pin down WHERE a photo was taken references/geolocation.md 9
Verify a photo / video; reverse search; faces; EXIF references/image-video.md 35
Pull a profile / posts / comments from a platform references/social-media.md 63
Find / enumerate a person across the open web references/people.md 33
Domain WHOIS, archive history, technology stack of a site references/websites.md 17
Public filings, beneficial ownership, sanctions, financials references/companies-and-finance.md 26
Conflict event tracking (ACLED, LiveUAMap, munitions) references/conflict.md 6
Flight / vessel / vehicle / rail / port tracking references/transport.md 27
Wildlife trafficking, environmental crime, terrain references/environment-and-wildlife.md 24
Preserve a webpage, video, social post references/archiving.md 8
Clean / merge / publish data; build the investigation file references/data-org-and-analysis.md 11
Bellingcat's OWN open-source tools (octosuite, auto-archiver, EDGAR, ShadowFinder, etc.) references/bellingcat-own-repos.md 46 active repos

Persona affinity

This skill maps to multiple personas — load it whenever an OSINT task appears, regardless of the lead persona.

Persona Strongest categories
Oracle All 12 — primary OSINT operator
Frodo Geolocation, Image/Video, Social Media, Conflict, Transport, Companies
Wraith People (HUMINT focus), Social Media, Websites
Sentinel People, Websites, Social Media, Archiving (CTI infrastructure tracing)
Scribe Archiving, Websites (Wayback), Data Org (FOIA dossier-building)
Ledger Companies & Finance (sanctions, beneficial ownership)
Centurion Maps, Conflict, Transport (military-history mapping)
Marshal Maps, Conflict, Transport (current military doctrine ops)
Warden Conflict (munitions), Transport (military hardware)
Echo Transport (movement intel), Social Media (signals correlation)
Herald Social Media (info-warfare detection), Archiving
Ghost Social Media (PSYOP / disinfo footprint), People

Investigation workflow primer

A typical Bellingcat-style investigation follows this loop. Each step has multiple tools — pick from the references.

       ┌─ collect ─┐
       │           ▼
       │     verify + geolocate
       │           │
       │           ▼
       │     archive + cite
       │           │
       │           ▼
       └─── synthesize ───→ publish
  1. Collect: starting source (a tweet, news photo, leaked doc). Tools: Social Media refs, People (for the source), Websites (for the host).
  2. Verify: is it real? Reverse-image-search; check EXIF; cross-source. Tools: image-video.md → Reverse Image Search + Metadata.
  3. Geolocate: WHERE was it captured? Tools: geolocation.md (SunCalc, ShadowMap), maps-and-satellites.md (Google Earth, ESRI, Sentinel Hub), image-video.md (Google Lens).
  4. Identify (if applicable): who's in it / who owns it? Tools: people.md (Sherlock, WhatsMyName), companies-and-finance.md (OpenCorporates, EDGAR), transport.md (Flightradar, MarineTraffic).
  5. Archive: snapshot the source so it can't be deleted. Tools: archiving.md (Wayback Machine, archive.today, Auto Archiver).
  6. Synthesize + cite: organize findings; build a defensible narrative. Tools: data-org-and-analysis.md (Atlos, Datawrapper, Hunchly).

Quick recipes

"I have a photo and need to know where it was taken."

1. references/image-video.md → Reverse Image Search → Google Lens / Yandex / TinEye
2. references/geolocation.md → SunCalc (if shadow visible) or ShadowMap
3. references/maps-and-satellites.md → Google Earth Pro / Sentinel Hub for area match

"I need to track a specific aircraft / ship / vehicle."

references/transport.md → FlightAware / Flightradar24 (planes)
                       → MarineTraffic / VesselFinder (ships)
                       → Plate2Vin / VinDecoderz (vehicles by VIN)

"I need to identify a Twitter account's owner across platforms."

references/people.md → Sherlock / WhatsMyName / Blackbird (username pivot)
references/social-media.md → cross-platform tools (Multiple Platforms section)
references/websites.md → Wayback Machine on the username's old links

"Sanction-screen a company and find its beneficial owners."

references/companies-and-finance.md
  → OpenCorporates (global registry)
  → OpenSanctions (sanctions list cross-ref)
  → EDGAR / EDGAR Suite (US public filings)
  → Aleph (ICIJ, leaked-doc cross-ref)

"Archive a Telegram channel before it goes dark."

references/social-media.md → Telegram section (Telegago, TGStat, …)
references/archiving.md → Auto Archiver (one-shot batch save)
                       → Distill.io (monitor for changes)

"Conflict-zone weapons identification from a clip."

references/conflict.md → Open Source Munitions Portal
references/image-video.md → InVID + WeVerify (frame extraction + reverse search)
references/transport.md → military hardware tracking

Cost stratification

Across all 342 tools: 264 free, 56 freemium, 16 paid.

The freemium / paid 22% concentrates in:

  • Companies & Finance — premium business databases (Sayari, Lexis, Orbis)
  • Maps & Satellites — high-resolution / on-demand satellite tasking (Maxar, Planet Labs, Capella SAR)
  • Image/Video — premium facial recognition (PimEyes, Clearview alts)

Free-tier substitutes exist for nearly every paid service. Reach for paid only when an investigation has the budget AND the free pivot has already failed.

Cross-reference with other repo skills

This skill is the catalog. For deeper how-to on specific operations, see other shared skills:

  • osint-investigator/ — Bellingcat-style investigation methodology
  • collecting-open-source-intelligence/ — collection planning
  • performing-open-source-intelligence-gathering/ — tactical OSINT
  • performing-osint-with-spiderfoot/ — Spiderfoot specifics
  • performing-ai-driven-osint-correlation/ — LLM-assisted correlation
  • building-threat-actor-profile-from-osint/ — threat-intel application
  • analyzing-certificate-transparency-for-phishing/ — CT-log pivots
  • monitoring-darkweb-sources/ — dark-web extension
  • news-crawler, freshrss, freshrss-reader — open-source news intake
  • analyzing-typosquatting-domains-with-dnstwist — domain pivot
  • archiving-… skills — preservation pipeline

Operational notes

  • Source verification first. Bellingcat's standard: every claim is triple-sourced or labeled as inference. Apply the same rigor when using these tools — a single hit is a lead, not a fact.
  • Archive everything you cite. Page-state at time-of-citation matters more than current state. Use the archiving tools in step 5 every time.
  • Account creation for some tools (especially social-media analytics, Maxar, Sayari premium) leaves a trail. Use compartmented identities where appropriate — see wraith persona's HUMINT/CI guidance.
  • Geographic legality varies. Some scraping / API uses violate ToS or local law. Bellingcat's tools are journalistic, not weapons-grade — apply professional judgment.
  • Tool churn is high. Bellingcat updates monthly; if a tool 404s, the CSV asset is the freshest source. Re-pull from https://github.com/bellingcat/toolkit/releases/tag/csv.

Pitfalls

  • Bellingcat curates but does not endorse — some tools are run by volunteers and may go offline without warning.
  • Reverse-image-search results from Yandex are uniquely strong for Russian-language material but require a clean / non-blocked IP.
  • Sentinel-Hub / Sentinel Playground: free tier rate-limits aggressively; for sustained imagery work get an API key.
  • Telegram section overlaps with this repo's telegram skill (custom scraper). Use the custom skill for archive batches, Bellingcat tools for one-off lookups.
  • People-search tools' coverage is heavily skewed to US / EU. Outside those, fall back to local-language equivalents (not in the catalog).
  • Wayback Machine ≠ archive.today — different crawlers see different things. Always check both.
  • The Misc sub-category in image-video is a grab-bag — useful tools hide there (e.g., color analysis, audio fingerprinting). Skim it before assuming a need is uncovered.