Sign in Subscribe

The Intelligence Lifecycle: Phase 2 - Collection

Mrs. OSINT

2 min read
The Intelligence Lifecycle: Phase 2 - Collection
AI-Generated

Last time we discussed Planning and Direction, and how important it is to plan before starting your research or investigation. Now comes the part that most people picture when they hear "OSINT": collecting information.

Here's the thing: Phase 2 isn't just about collecting everything you see. It's about knowing where to look, how to capture your find, and remembering that not all data is equal.

Phase 2: Collection
"The collection phase of the process involves the physical act of acquiring intelligence data and information from human, imagery, signal and other intelligence sources."
(Baker & Henderson, 2017)

What does that mean for you?
Before your browser tab count hits double digits, stop for a second and think:

  • Know your why, what, and how. What problem are you trying to solve? Are you tracking a campaign, verifying a claim, or mapping a network?
  • Choose your sources wisely. Google and other search engines (search operators), public registries, social profiles and threads, archived pages, and reverse image tools are all fair game.
  • Choose your tools wisely. Know what your tools actually do, what they collect, and where data is stored.
  • Set your collection plan. Which platforms will you check first? How will you capture the data (like saving screenshots or using metadata extractors)?
  • Don’t just grab all the things. Save what’s relevant. Ask yourself: Does this connect back to my original question?
  • Name things consistently. Use a format you can search later. Example: caseID_platform_handle_date_item (your future self will thank you)
  • Set STOP rules. Avoid drowning in data. Decide when you'll move on.
  • Remember OPSEC. Separate browser profiles or VMs, use a VPN, and keep sock puppets (burner accounts) ready if needed. Never interact with your target. (Always follow your workplace policies)
  • Always document context. Where did you find this? When? How? If you can’t explain that later, the data loses value fast.

Wow! That's a lot of bullet points. But think of Collection as laying down bricks for your investigation. This isn't Jenga! The goal is to build something sturdy, organized, and ready for Phase 3: Processing.

Do analysts always do all this?
Nope.

But most analysts know that skipping steps early usually costs them twice as much effort later. (Ouch!)

The truth is, no one collects perfectly. Sometimes you'll miss a source. Sometimes you'll over-collect and end up with too much noise. And sometimes you'll only realize after analysis that you should have captured something differently.

That's okay. The best analysts know when to pause, retrace, and refine. Don't focus on perfection. Focus on being consistent. The most important thing is to get into the habit of documenting what you did so you (or someone else) can follow the trail later.


💭 I’m curious…

  • What’s your go-to tool when you start collecting?
  • Do you track every step, or just save the end results?
  • Have you ever collected so much that you had to go back and start over?