The president of the OSMOSIS Association and host of OSINT Cocktail, Cynthia Navarro, joins the podcast to discuss how creating a community of open-source researchers had allowed her to learn from others and hone her skills.
Cynthia Navarro is a licensed California Private Investigator and has been in investigations for over 40 years. Most recently as the President of OSMOSIS, an association for OSINT professionals who support the development of the OSINT tradecraft. Previously, Navarro was the principle of Finnegan’s Way, an investigative consultation and training firm located in California. In this role, she managed both civil and criminal investigations consulting worldwide, specializing in anti-piracy, intellectual property, OSINT and business intelligence. Prior to Finnegan’s Way, Ms. Navarro held various management positions at several Silicon Valley companies.
CYNTHIA NAVARRO
DuckDuck Go. Now they say, oh, you can do that, and nobody's paying attention. Once you leave, DuckDuck Go and click on that link and go to that location. You are no longer anonymous. Folks don't understand that.
[music plays]
JEFF PHILLIPS
Welcome to Needlestack, the podcast for professional online research. I'm Jeff Phillips, and I'll be your host today.
SHANNON RAGAN
And I'm Shannon Reagan. I'll be your cohost today and a usual producer on Needlestack.
JEFF PHILLIPS
Excited to have you, Shannon.
SHANNON RAGAN
Today we're joined by Cynthia Navarro, host of the OSINT Cocktail Podcast and president of the Osmosis Association. Welcome to the show, Cynthia.
CYNTHIA NAVARRO
Thank you very much, Shannon. Jeff.
JEFF PHILLIPS
Well, Cynthia, knowing that you were going to be a guest, I was listening to a few of your podcast episodes, OSINT Cocktail. So maybe we start off tell us a little bit about OSINT Cocktail, why you and your partner wanted to start a podcast about OSINT specifically.
CYNTHIA NAVARRO
Sure. Well, both Kirby and I do OSINT work, and we thought, let's share with a lot of the friends that we have and start sharing our information, because that's what this OSINT community is all about, is giving back to each other. And so we decided we could look at different frameworks of how OSINT is done, looking at the hardware, software, anything that's out there that would affect that OSINT world, and we'll just start sharing the information.
JEFF PHILLIPS
Well, I do want to tell people it's great you guys do go deeper into tools and software. So definitely something for people to check out. Why the name Cynthia was it to keep it casual? Do I need to have a cocktail when I'm listening?
SHANNON RAGAN
I think we should, yeah.
JEFF PHILLIPS
Can we rename ours somehow? Needlestack Cocktail.
SHANNON RAGAN
Needlestack Cocktail. Yeah.
CYNTHIA NAVARRO
There you go. There you go. You could probably do that. We were talking back and forth, and I don't know why, and I just said, how about Oats and Cocktail? Even though we're not going to be doing this at night, let's just do that. And if we want to, we can.
JEFF PHILLIPS
We'll leave the option open.
SHANNON RAGAN
I love it.
CYNTHIA NAVARRO
Kirby is very artistic, and so she went and did the cocktail, and we went on a few versions, and it's like, okay, that's good. Let's go. Yeah.
SHANNON RAGAN
And Cocktails during a podcast just loosens things up a little bit.
CYNTHIA NAVARRO
It does, and it makes it fun.
SHANNON RAGAN
Well, I also started listening to some of the episodes from OSINT Cocktail and really great guests and good OSINT conversations that I learned a lot from listening to those I was also learning about your background a bit. It says that you've been working in OSINT Investigations OSINT investigation since 1999, although I know your investigative history goes back quite a bit farther than that. But how have you seen your landscape change relative to OSINT and I guess, how savvy do you feel like the investigative, private investigative community has been in adapting it okay.
CYNTHIA NAVARRO
The private investigative unit, not all has been really great in grasping it. They have probably because OSINT is now popular the word. It's like, oh, I do lose an investigation. The question is, do you know what it is that you're doing? Do you know the tools? Do you know how to collect the information? And it has changed because I started out back in 79 doing undercover work for the state of California, and I was just using to do my reports to get my information. It was physically going to where I needed to go. And then I would write a report in the car on a piece of paper or form that they had and said, okay, I made a little mistake here, but that's okay, and hand it over. Then we slowly started merging into Alta Vista, where you could find stuff for sale up there and all kinds of information. And I started looking into it more, going, wow, look at you can get this. I went to a friend of mine that worked on the hardware side because I'm located in Silicon Valley. And I said, hey, I found something that you might be interested and this is some of your product that's being sold.
CYNTHIA NAVARRO
And he goes, you're kidding me. I said, no, here's the person that's selling it. And he goes, what is that? And so I showed him how to use it, and it progressed from there. As the Internet progresses, we progress. We have to because it is an evolving change, especially within the last several years. We're looking now at AI. How are we doing our searching now? Are we going through Google and all of their different servers to collect information? It's really changed so much. And I don't feel as techy. And I'm always talking about we need to get more techy, we need to understand Python and different things. And I'm like, well, that's just not what I do. I'm going to collect my friends that know how to do that and move forward. And that's what we've done, is we go out and we share the information and we learn from each other. There's no proprietary stuff. It is open source, exactly what you're looking for. You may have to pay for it for some things. You may need to be elected tracers. You need to go on their site and have a PI license in order to get access to some of their information.
CYNTHIA NAVARRO
So you may be limited on a couple of things, but generally overall, anyone can go out and get what we're doing. It's just understanding how to go and do it.
SHANNON RAGAN
I was actually curious. We talk a lot on this show about any sort of risk involved in going to these random sites on the Internet. Whether it's like a cyber risk or that you're a suspect or the person that you're investigating, you could tip off in the process of that research. Do you see a lot of awareness around that in the private investigative community or is that still kind of also in the learning curve?
CYNTHIA NAVARRO
I think it's a learning curve for everybody. They're not understanding what's being collected because it's not their area of expertise, which is like, let's hop on there, let's get it. And if you're not getting training and you're not asking questions and you're not understanding what that information is, well, is the information true or not true? What can they get from me if I go into this website? What are they collecting? You have to really stop and think about where you're going for information. What are they collecting from you as you go in? Do you want them to know where you're located or not? What systems are you using? Because everyone is collecting so much information whenever you enter. And we just think that we have to be more diligent on understanding that.
SHANNON RAGAN
We do have some good episodes from the beginning of Needlestack that I think really go in depth on the details of that. Like, what is the information they're getting? How are they collecting it? What does it mean in terms of how they can identify you? So if people are looking for those kind of get educated resources, check out season One Canon.
CYNTHIA NAVARRO
And it has to be explained to a lot of folks that are not comfortable with technology, right? It should be, but they're not comfortable with technology. So you need to have a space for folks that, okay, let's go from the basics here so you really understand. And then it's just like going from basic to intermediate to advance. You just have to be at that intermediate for sure to go to advance. That's great. You're learning even more. But it's scary because everybody has different opinions as well. Who do you believe?
JEFF PHILLIPS
Right. And your skills set, maybe your curiosity and your ability to research and investigate. Right. Having become a technology expert is not something you may want to do, but having the top level understanding what they're collecting sure is helpful in keeping the good trade craft, for sure. And I'm going to link that too with your podcast. You've had some really interesting guests since it began. First of all, how do you find your guest? We found you. We're always looking for guests. But more importantly, what do you hope they'll bring to your listeners? Is it a certain type of guest that you're looking for? How do you go about that? And what do you hope they bring?
CYNTHIA NAVARRO
We're hoping that they can provide information for anybody that's in OSINT, whether you're in advance or just starting out. And it's just sharing and educating all of the people that we've had on. There have been friends between Kirby and I. We know so many different people within the world. Forensics, Amber Schroeder was on, but Amber also is very savvy for social media and how you bring things together. So Amber Schroeder, as one of our guests with Caravan is she was perfect Cynthia Heather and was on there. Cynthia is awesome where that hospitals and cocktail came from too, now. So our guests are mainly to give you different sides to look at things, maybe something you didn't realize. So it's something for everybody.
SHANNON RAGAN
Well, I guess in relation to that, there's many perspectives that you need to take and use to corroborate and verify information that you find in your research. We've talked in episodes past about not leaving information on the table. Whether that means venturing onto the dark web is kind of the extreme of that becoming familiar with how you can search social media and do that legally and safely depending on your jurisdictions. There was one episode of your podcast that I was listening to that was talking about even just the basics of search engines. Like, so many people just default to googling things, but for different types of investigations, there might be different search engines or image search options that work differently in different places. Could you talk a little bit about your experience with that and why you might go search differently for different things?
CYNTHIA NAVARRO
I was trying to do some searching for an individual that and I will say admit this, I search people that want to be friends on LinkedIn. And so I'm looking to see are they really who they are? And a great example is I did a Google image search and it did not come up. So I thought, okay, this individual is from probably a different country. I'm trying to be careful of that. And so I went to Yandex and I got, wow, all kinds of photos. And I was looking at some of the photos, and I'm like, this person is probably from there. They all look the same within dressing. So I would go to Yandex, I would go to three different places, minimum of our search engine, to look for my information because you will get something different from each one. It's not going to be the same thing. What you have to understand too, though, is when you are going to these search engines, if you're going to them regularly like Google, they're keeping track of what it is that you're looking for, what you're clicking on, what you want, where you're located. And so they're giving you back information that they think you want.
CYNTHIA NAVARRO
And that is something you really need to be careful of because then if you're continuously using that for specific cases and stuff, it's only going to come back with that you need something different. If I search for something and Shannon or Jeff or Aubrey, if you guys searched for something, we would each come up with something different within the searches because it is watching everything that you do, and then your ads are popping up on the side based on everything that you're looking at. So you have to move around to different search engines just to get it. DuckDuck. Go. Now. They say oh, you can do that and nobody's paying attention. Once you leave, DuckDuck, go and click on that link and go to that location, you are no longer anonymous. Folks don't understand that. And so again, it's understanding how these work and how the search engines actually work, the different types of searching that you're doing, what is the best way to search, how you're going to change your words around. It really makes a difference in going to at least three different search engines. Google is great, it's very robust. But I'll go to Bing, I've gone to Yahoo, which to me hasn't been that great for some things I've looked for.
CYNTHIA NAVARRO
But on the other hand, I've gotten some great stuff that I didn't get from the other two. So you have to go out and do three minimum and there are a ton that are out there.
SHANNON RAGAN
And to segregate that personal browsing from the investigative browsing to really kind of look at it from a holistic and new perspective, that's great advice.
JEFF PHILLIPS
We've also talked about on the past episodes that because you mentioned going to andex or some other engines that are more predominant in other parts of the world. And if you go there and search in English versus search in the local language within Yandex, you'll get two sets of results, right? So there becomes that ability to do you have a translation tool to help you do that stuff quickly. And again, in the end you want the most and the best information you can get access to. And I have to throw out Cynthia. Right before the show I sent you a LinkedIn request since we were going to be recording. I don't know what pictures you're going to find. This is me. If you see my picture, a link to something else across, let me know and make sure what's on Yandex about jazz. This is what I was like that's the LinkedIn. Another thing you did on your show. The first episode was interesting to me. On Osincata, you gave a lot of attention to hardware as well as software. As far as your setups, which you and Kirby use day to day to conduct OSINT, and I do know Kirby seems to be goes deeper into the technology side.
JEFF PHILLIPS
So what's your advice though, from a set up perspective? Your expertise is on the investigating part. Is there a minimum scenario? Is it just have one laptop frozen? As not a technical expert we just talked about, you got to be safe, you've got to protect your identity, you're going to toxic places, there's lots of malware and whatnot. So what's kind of your advice as a non technical person about your set up?
CYNTHIA NAVARRO
So with mine I have different computers for one for investigations and one for just general and then I have another one that I'll just use just to have something different because it's giving out different information. You want to be the end, you don't want people to know where you're going to. Mine is so basic, and I'll have to say I've been lucky. And through the years I've always been pretty basic about stuff. I put people in jail, I've got people really pissed and looking for me, and I've been lucky. So I'm not really the best person to ask about that. That's why Kirby is there to help. But for me, I've been lucky. I can say that. Just doing minimal stuff.
JEFF PHILLIPS
Well, we go deep and into some of that anonymity, and we have heard of things to your point. And as far as being lucky, whether they find out of you, we know people of analysts because they get found out and they contaminate across the streams, if you will, and they get doxed or something of that nature, right in the non criminal type way. But on the cyber front, it's do. They find out who your company is and next thing now they're knocking at your door and doing any type of DNS attacks and stuff like that to our listeners, just like Cynthia. Listens to Kirby. You shouldn't rely on luck when you're conducting sensitive online investigations. Don't do that.
CYNTHIA NAVARRO
Protect yourself.
SHANNON RAGAN
Yeah, I'm sure the private investigator community is well aware of the risks of doing that type of job, that you're going to piss people off. You're going to be dealing with unfamily people, unscrupulous people. So to translate that understanding of the real world effects to the information that you can divulge, even though you're just sitting at your computer doing online search, and the precautions you need to take against that, I think are really worth.
CYNTHIA NAVARRO
Educating on education, that's the way to go.
SHANNON RAGAN
I wanted to talk a minute about the Osmosis Association that you are a part of, along with Cynthia Heatherington. Could you just tell us a little bit about how this organization was formed or how you got involved with it and what's ahead?
CYNTHIA NAVARRO
Yeah, well, Cynthia, who is the founder for the association, she and I were talking and she always has great ideas of doing different things. And she said, I want to start an association that brings the community together that we can do, like a standardization. We want to make. One thing that is important is the ethics. There has to be ethics in what we do because there are good and there are bad in anything. So we want to have a standardization. We want to do some certifications that really are meaningful, not just a one off class that really doesn't give you the substance of learning. And then you come out on that class saying, oh, well, I've got a certificate for this. We really want to challenge the industry to be better. It's open for good, as you will see that hashtag a lot and it's bringing in a mix of ovens because you have military, you have government, you have the private sector that could just be law enforcement. You have everybody that should be working together to do things and a better understanding of doing the right thing and challenging people to do that right thing.
CYNTHIA NAVARRO
So that kind of was the start of it and educating because we want to provide folks with the best of the training that's out there from people that are known and that know exactly what they're doing. We want to make sure that we're providing a platform where they can communicate with one another, so there'll be a platform where they can go back and forth and ask questions and we can answer them. Someone else can answer them within the community. But it's really just that it's the OSINT community and the trade crap that you want to enhance for the matter.
SHANNON RAGAN
Yeah, that's a great organization. I know Osmosis Khan is a great event in the industry and lots of good information, resources and connections to be found there.
CYNTHIA NAVARRO
Yeah. You want to look down the road with me? I have talked about well, in California at this point, people that are doing OSINT, they've not been looking at them. Technically, if you're going to do OSINT within California, you need to be a licensed private investigator because you're doing investigations into people, into companies, and that's what is under investigations. And so we want to be careful in what we're doing to make sure we're doing the right thing, especially if you're going into court. I know that recently I had a call from someone and said, hey, I've got a client that's an attorney and they want to make sure that whoever is doing the OSINT work has a private investigator's license. And I said, okay, that's no problem. I have it, we can do it. But if they had someone that wasn't a private investigator, it wasn't licensed or from another state. The question is, is that evidence admissible? If you go back and look as an easy one for court, there's some outside investigators that came into California, and then when they went into court, none of their work was admissible because they were not licensed in the state of California.
CYNTHIA NAVARRO
So what's going on in other states? How is this going to really affect us? So with things like that, we need to educate the community in and what they're doing is something maybe not legal that we would not even think about over in another country. So communicating and bringing this community together is only going to be helpful for us and to understand it. So we're not getting in trouble getting licensed insurance. OSINT doesn't think about getting insurance. Investigators do. Or I work with a lot of high tech companies, and they want you to be insured anywhere between two and 5 million, and there's not a lot of insurance companies that will cover that. And I just had a gentleman that will be joining us in the membership that he said, I've called everywhere. I can't find one. I've been going crazy. And so we were able to give him a couple of places, and he was thrilled. That was like the best thing that happened. But he would not have had a job had he not been able to get that insurance. And he got that just from, again, communicating with other people within the industry, and that saved him.
SHANNON RAGAN
You need the community, for sure.
CYNTHIA NAVARRO
Yeah. Just a couple of little examples.
JEFF PHILLIPS
And the events in New Orleans this year, I think, right? There's a benefit to that.
CYNTHIA NAVARRO
It is really cool, isn't it? We've been there before. I have pictures. I don't show them publicly, but we have pictures. It's a great place. They're working hard on it. I haven't been involved in as much with that because of working on some stuff for the content and so forth for the association. But this association, I think, will be so beneficial for the Elcent World and board of directors. We have also educational review board with nothing but professors on that one. We have an advisory board. So we're really looking at it in a business perspective of doing the right thing.
JEFF PHILLIPS
It's sort of building off of honey. You mentioned these outsiders that they just weren't from California. They weren't outsiders, but they had these outsiders.
CYNTHIA NAVARRO
Outsider. That's right.
JEFF PHILLIPS
A little bit different, I guess. Take on it. We talk a lot about what's posted online. This has come up a lot with the Russia and Ukraine war and are things that are being posted is that true or is that from a photo from a conflict years ago in a different place, I guess, at a higher level? What are some of your tips for verifying information that you find through these investigations that you're doing? And as far as testing the veracity of it, so that you can be confident that what you've identified and what you're going to provide in whatever format you're providing it? It's true.
CYNTHIA NAVARRO
Yeah. Well, you're going to different sources. I can tell you who is a great example of this, is Bellingcat. They are awesome. They are going out and verifying and it is a crowd source. So you have to go out and verify that what that information is. So more than just one place. Don't take that one person like Jeff, I can't take you that you are Jeff Phillips. I see your faith, I see your name, but are you really Jeff Phillips? So I need to go out and check that out, get more pictures of you. Just get that information. But when you're out there like Bellingcat does, they verify that information so they can say, this is how we came across. We believe this is true. I mean, not everything's 100%. We have to understand that. But you have to do your best as possible to verify that what you're providing is the truth. Because there's so much misinformation out there. Yeah.
SHANNON RAGAN
I feel like, Jeff, you were very hesitant to use the big T word. Is this true?
JEFF PHILLIPS
True. What is true.
SHANNON RAGAN
In the intelligence reports that are the outcome of these investigations? That there also has to be a gauge of reliability or any sort of caveat to the information that you're revealing? How do you tackle the reporting aspect of your work, either in terms of that kind of informing on the reliability of information or just like the means of communicating it? How do you get your point across?
CYNTHIA NAVARRO
I try to get the best information I can with the backing up of it. I keep all the back up, the links that I go to when I've gone to it and I do at the bottom of it. You definitely want to have a disclosure that this may not be exact. You have to remember that humans are putting in a lot of the information that you're collecting. They could have made an error, so there are errors that are out there. A great one would be if you're running an individual through database and you pull all the information and they have all these people that are connected with the address that you're looking at. Well, who's really connected to that address? And what are the times that they were connected with it? And did they really live at these addresses? Because it's not true if you have to understand on that aspect of it is understand that if you have a credit card with someone and whoever the person is that is the main person, that address is the ones that you use. But if you're on that credit card automatically, their address now is part of your address.
CYNTHIA NAVARRO
So again, it's understanding how you're getting your information, what you're looking at, and then communicating that. So if you're not sure of something, you communicate that. We're not sure if this is why, but this is to the best of our ability, this is the right answer for you. So for me, that's the easiest way to do it is to be open about it because there is nothing 100%.
SHANNON RAGAN
I loved one of your tips from the podcast. That was like a great idea moment for me was if you're unsure of the validity of a database is run yourself through it because of course you're the person to know that's the only thing that is true with a capital T. So that was a great tip.
CYNTHIA NAVARRO
Yeah. I use my ex husband all the time in class to talk about who all these people are. The perfect one.
SHANNON RAGAN
That's great. Yeah. Find your test case. That's great.
CYNTHIA NAVARRO
Yeah. And anything that you're working on, put yourself in there. Put something in there you already know and that will help validate for any tools you're looking at. Just do something that you know and to help validate what you're doing. And then you'll know this is not quite right. Why is that?
JEFF PHILLIPS
That's great advice. That's a great tip too, there. This has been a great episode, Cynthia. I really appreciate before we go, where can people find you? Are you on Twitter? We know on LinkedIn. You're going to vet my picture? Where can people find you?
CYNTHIA NAVARRO
Probably LinkedIn is the best. I haven't been at Twitter in a while and that's under Finnegan.
SHANNON RAGAN
Everything is fine. There nothing's happening at all.
CYNTHIA NAVARRO
But I'm not out there as much. Probably more so on LinkedIn and more lately, because I'm trying to understand things I may not know. So I'd say LinkedIn is the best way to reach out to me, because I do answer it and I'm on it quite a bit for other things. But if you just look under Finnegansway, you'll find me somewhere. I think I have an instagram, but it's private. Yeah, I'm not the most social person out there.
SHANNON RAGAN
Probably best in your field, too.
JEFF PHILLIPS
Probably best in your field. Yes. As a private investigator.
JEFF PHILLIPS
Well, Cynthia, thank you for joining us today. If you liked what you heard, you can view transcripts and other episode info on our website, authentic8.com/needlestack. That's authentic with the number eight, .com/needlestack. And be sure to let us know what you thought of the show on Twitter @needlestackpod and to like and subscribe wherever you're listening today. We'll be back next week with more OSINT research tips. We'll see you then.