In looking out for people to interview for this site it came about and still is to this day just me wanting to speak to people I am fascinated with and want to ask questions too and one of them is Griffin.
He is an investigator with over 20 years’ experience with a background resolving certain types of organized crime.
Nowadays, his professional focus is in the realm of crimes against children being the Director of Intelligence at The National Child Protection Task Force (https://ncptf.org), and formerly their Deputy Director of Investigations & OSINT Team Lead.
He is also one of the co-founders of the OSINT Games capture the flag platform (https://osint.games), and the President of Hatless Investigations Group, where he helps investigative professionals learn new skills for conducting their work online.
As a side note he also has one amazing start.me page with everything OSINT related you should all check out HERE!
Everyone in OSINT comes from a lot of different backgrounds and walk of lives, how did you come to get started in OSINT?
I have been absolutely obsessed with solving puzzles for as long as I can remember, which led me to pursue a career in investigations.
Basically, my never-ending drive to solve my cases led me to going out to the internet in search of clues, long before I even knew that OSINT was a thing.
Some years ago I attended a training and was shocked to find out that all the things I’d been doing to further my cases through online research had a name and a small community!
From then on, I was completely hooked on learning all I could get my hands on, but it wasn’t until recent years that I really fully jumped into that community online.
Reading through the OSINT work you have done and still do it’s the kind of thing I would love to get involved in with the #OSINTforgood community and trying to do some good with the skills, how would you recommend someone get started?
Finding myself in the #OSINTforgood community was really the moment I knew I was home. At the risk of sounding dramatic, I have to say something from the heart… There’s nothing more fulfilling than doing something you’re totally passionate about and then having that passion create real, meaningful differences in the world.
There are many great organizations who specifically leverage open source intelligence for the greater good, including finding missing persons, helping crowd-source support for solving crimes, developing intelligence to support humanitarian efforts, and for revealing the truth about misunderstood or misrepresented issues.
I would encourage people to seek out organizations whose mission is something that resonates with their own values and purpose, and then just reach out. Some may have formal processes for getting involved, some may be more organic, and others may only need financial support, but they all probably need something.
Find a way to network with people and be honest about what you can offer and how, so that if your offerings are a good fit, and the organization is a good fit for you, there is no ambiguity. Don’t be discouraged if it’s not the right time or the right fit, keep pushing until you find your place!
You are formerly the Deputy Director of Investigations and OSINT Team Leader for the National Child Protection Task Force (NCPTF), and now the Director of Intelligence, that must be quite difficult to be involved in sometimes and quite hard work?
Absolutely. On one side, the work being done by the NCPTF is hands-down the most rewarding thing I’ve ever been a part of (professionally of course, if my kids ever read this on the internet one day!).
The flip-side however is that the nature of the work, which is heavily focused on missing, exploited, and trafficked children is mentally taxing, no doubt about it.
Those are real people, real stories, real lives. The brilliant part of our task force is the caliber of people involved, and the way we work as a team to not only help make a difference, but to help each other.
We support each other, we look out for each other, and we are open with each other so that everyone can be their best at all times.
The work can effect everyone differently, and you must never judge someone else for where their own personal boundaries are.
Is it just OSINT you are involved in from a Cybersecurity standpoint, or do you dabble in some ethical hacking as well?
I have a great admiration for the skills, persistence, and know-how of ethical hackers but I don’t possess even the slightest knowledge in that area.
My entire world is in OSINT, and I have actually found that a lot of people find that encouraging, especially if they don’t have the interest or ability in the hacking part of cyber.
Part of the story of why I use the moniker hatless1der is because I have nothing when it comes to white hat, black hat, etc.
Your http://start.me page is phenomenal as a resource of resources, have you had some great feedback since sharing it out?
Thank you! Yes, that has been extremely popular and I’m so glad.
As I mentioned before, I am a voracious learner of all things OSINT and I found myself with SO MANY great resources, blogs, tool sets, discussion forums, etc that I really just wanted to organize my own library of my favourite stuff.
Just like that, The Ultimate OSINT Collection was born!
It was the kind of thing I wish someone would have made for me while I was first dipping my toe in the online OSINT community, so I knew where to look and how to find great content fast.
What OS do you use when starting a project, Is it in VMWare and a specific OSINT OS?
I’m a big fan of using what works. Could I stand up my own Linux VM and go through and install a bunch of CLI tools myself and set it all up? Sure, I’ve done that, but mostly just for the experience and familiarity with what is happening.
With so many pre-built VMs out there now, and several OSINT-specific ones made by people with real skill and purpose, I don’t need to fumble around doing the setup work myself unless I really want to.
I do most all of my work in a pre-built Linux VM (yes, sometimes I’m in a hurry or get lazy and do certain basic things on my host machine, I’m not too proud to pretend I don’t).
While I don’t want to advocate for a specific one necessarily (everyone has different use-case needs), I will say that the popular ones in my circles are Michael Bazzell’s custom VM, the Trace Labs VM, Tsurgi Linux VM, and CSI Linux. If you do OSINT work, go learn about each of those and see which one may suit you!
I only discovered OSINT Games today when doing a little research, it looks fantastic, how did that come about and is there plans to grow it more?
OSINT Games is one of my favourite projects that I’m a part of! (s/o to Micah Hoffman aka @webbreacher who is the other co-founder there) The idea behind it was to offer a different way to use CTFs to learn, rather than compete.
So many of us learn by doing, and in a traditional CTF environment you’re scrambling to work against the clock and rack up as many points as possible in order to prove yourself in a leaderboard.
There’s definitely a time and a place for that, but if you’re newer to the OSINT world, that can be downright intimidating.
Considering the largest part of the OSINT community population are going to be people who are either new or view themselves as behind the learning curve, we wanted to offer them a way to comfortably learn at their own pace, while being exposed to new OSINT challenges that might be skills they’ve not yet developed.
Our challenges are accompanied by a series of hints designed to help lead the user to resources that can help them solve the challenge, but encourages them to take the time to go out and do the research to learn the skill themselves so they get that experience.
The hints are progressively more direct so that you’re never really “stuck”. Micah and I are both passionate about teaching, and really tried to focus the purpose of OSINT games using that mentality.
We run a new CTF for 90 days at a time one after the other, and each one offers all new challenges that touch on traditional OSINT disciplines, of use to a wide variety of practitioners!
What else do you do to unwind away from OSINT as it must be so hard not letting it become all encompassing?
There is ALWAYS more projects than there is time, especially when you’re passionate and excited about the things you work on.
On top of that, my work with NCPTF is something that can happen 24/7/365, with urgency being a core tenet. Admittedly, I’m not very good at doing things less than 110%, ever. What I have learned over the years is that 110% doesn’t have to mean all the time. It doesn’t have to mean sacrificing everything else and always saying yes. It doesn’t have to mean working all day and then staying up all night to work some more. It can mean setting boundaries for myself and being honest with those around me about those boundaries and why I have them. A burned-out person is not making an impact, not representing themselves well, and possibly even detracting from others can accomplish. I’ve gotten much better about that, especially when it comes to prioritizing my family.
My advice to others is to be honest and clear about dividing up your work life from other aspects of your life as much as possible. Soap box moment here… You only have so many minutes, hours, and days on this planet.
One day they will all be completely and irrevocably gone and there’s not a damn thing you can do or say to get even a single second back. Never forget that.
Schedule time away from work as much as you can and stick to it. If you have a significant other and/or kids… they are #1 no matter what.
Make time for your extended family and social circles, say yes to events that bring people together. Take vacations, even short ones just to disconnect and decompress. Find a non work-related hobby.
How have you seen it change over the 20 or so years you have been involved in OSINT and people becoming a lot more aware of safety and security online, being more wary of what the post for giving information away?
In some aspects, it really seems like there was so much more information available online years ago before digital privacy became a mainstream topic. Available as in “accessible” I suppose. That being said, the sheer volume of digital information has grown exponentially in that time, so even though it may be tougher to access, there’s a lot more out there.
The quality of tools available nowadays is astonishing as well, especially free tools. Some of those can make accessing certain information quite easy, but there’s always a push and pull between the two worlds.
The way I look at it, the harder it gets to dig up intelligence, and the more that’s done to protect digital information online, the more important it becomes to have great investigative curiosity and mindset.
That’s one thing that tools cannot ever fully replace. The better you are at making the connections, fitting the pieces of the puzzle together, and then telling that story to your stakeholders… the more valuable YOU are in the use of OSINT in your work.
What’s the plan for the rest of the year?
Well, one thing for sure is that I’m never short on things to do! Beyond building more OSINT Games CTFs and continuing to grow my work and the impact of NCPTF, I have one very big project on the horizon that I’m tremendously excited about… Micah (whom I mentioned earlier) and I are working on a full-spectrum OSINT training curriculum which will be offered through the https://myosint.training site this fall.
This on-demand video series will provide an immersion into many widely-applicable OSINT topics that come from our live-training offerings at conferences and private events.
We wanted to create a project that is accessible, applicable, and affordable for the widest possible audience, that combines our unique backgrounds and experience to help others truly learn and excel.
Links for reference:
- Twitter: https://twitter.com/hatless1der
- LinkedIn: https://www.linkedin.com/in/griffin-g/
- Blog: https://hatless1der.com/
- The Ultimate OSINT Collection start.me: https://start.me/p/DPYPMz/the-ultimate-osint-collection
- OSINT Games Capture The Flag: https://osint.games
- The National Child Protection Task Force: https://ncptf.org