Listen to this episode:
In this episode of From the Source, host Matthew Stibbe interviews Ritu Gill, president of the Osmosis Association, discussing her extensive background in OSINT, the importance of effective report writing, and the role of AI in the field. Ritu shares insights on professionalising OSINT, the significance of ethics, and the certification opportunities available for aspiring OSINT professionals. The conversation also delves into the challenges and advancements brought by AI, as well as the innovative Forensic OSINT tool designed to preserve online evidence.
AI-generated transcript
Matthew Stibbe (00:01.231) Hello and welcome to From the Source, the Blackdot podcast. I'm your host Mathew Stibbe and I'm here today with Ritu Gill, who is the President of the Osmosis Association. Great to have you on the show Ritu.
Ritu Gill (00:15.298) Hey Matthew, thanks so much for having me here. I'm happy to have a conversation with you.
Matthew Stibbe (00:20.493) And I'm very excited to meet you today. I know you've got this expo coming up in DC in August. Perhaps you could tell me a little bit about the subject of your talk there and a little bit about your career history in OSINT.
Ritu Gill (00:38.434) Of course, I can start with my career history. So I have 18 plus years with Canadian law enforcement. I started off, completed my degree in criminology. Pretty much about a month later, I believe from what I recall, because it's been a few years, I got right into working for law enforcement. And I just never really ended there. I just kept going. And that is kind of how I got into it. So it wasn't
the first job I got. It wasn't the first job that was OSINT related. It took a lot of building towards getting experience and getting to that stage. So I did lots of different jobs for law enforcement, but eventually becoming a researcher and then becoming, you know, a junior analyst, then becoming an analyst and open source analyst and so on. So that's kind of some of the background of it. I'm going to switch gears and talk about the DC Expo that is in just actually in a couple of weeks, less than actually not... just a week away. My talk is about how someone can thrive in OSINT. And so what I'm gonna be talking about is career kind of lessons. So some of my takeaways from where I started to where I am today and what got me there. So, you know, things like talking about my origin story and...
just some tips that people can take away and hopefully apply, especially people who are starting out and really want to get into it. And there's different ways of doing it, but I want to be able to share my story. And hopefully that's inspiring for some people.
Matthew Stibbe (02:18.943) I'm sure it will be. And what has remained constant over those 18 years for you?
Ritu Gill (02:26.264) So I think there's gonna be a few things that stick out to me, but there's gonna be things like your mindset, right? The way you look at things, you can come across all sorts of research problems and research objectives, or I like to call 'the intelligence question', right? Your customer asks for something, but the way you look at a problem can really...
set out how it's going to look like in the end and through the middle and to the end. But things like curiosity, like how you look at something, how you make an assessment of what your customer needs. Right? So there's going to be, when I say things, there's certain things that stay consistent. I think it's like the mindset is so important. Critical thinking, and I feel like I've said this many times, but critically being able to look at a problem and asking questions about it, right? Asking yourself questions about it to really get some of that thought process going. So I think that's one thing that really sticks out to me. And I want to be able to touch on that, hopefully give some examples in my talk. But there's other things as well. It's such a big topic because it also takes me to a topic I recently covered about report writing. Close to my heart
Matthew Stibbe (03:50.863) Close to my heart... as a writer.
Ritu Gill (03:53.15) Right, yeah, so it's not the most exciting topic in OSINT, but at Osmosis we covered it in our monthly newsletter, and it was one of those topics that I'm like, well, it's something that I wish someone had kind of walked me through earlier on, because I felt like my research skills were so strong at that time, but my report writing was okay. So I feel like if we could have connected those two dots a little early on. would have been, it would have made life easier, but it would have made it better for who I was working for at that time as well.
Matthew Stibbe (04:32.783) And what does good report writing look like? I mean what's the difference between good and okay?
Ritu Gill (04:37.954) Yeah, so I think, are you able to, there's so many different ways I can answer this question, but I always say like every research project or assignment that somebody has, there's gonna be a question that you're trying to answer. So the questions I ask is like, can you, have you answered that question? Can you answer it? It's kind of like what the 'so what' is. So if your customer reads your report, and they understand what the 'so what' or the takeaway is, that's a good thing. But if they look at it and they're like, yeah, so what? Like there's no answer to that. That might be a problem. be. Yeah, exactly. Yeah. So I think like being articulate, being able to explain what you did, how you did it, those are other things that go a really long way because…
Matthew Stibbe (05:19.001) Same with marketing, by the way.
Ritu Gill (05:32.18) If you're somebody who may end up in court and you may not be, but you'll still have somebody on the other end asking, hey, what does this mean? So you want to be able to be articulate, be able to explain what you did, how you did it. I think it's not just about those end results. It's also, how did you get here?
Matthew Stibbe (05:53.229) And is there a technique or a requirement to explain to somebody who may be unfamiliar with the world of OSINT how you used OSINT to come to some conclusions or deliver some 'so what' explanations or is there a danger that they might overinterpret or misinterpret, not understanding how you got there?
Ritu Gill (06:18.54) Yeah, I always try to like if there's been someone who is starting out and I've been training them I try to give them examples of like a good report versus something that I would consider maybe not as strong. I find like again everybody learns differently in a different way but for me I'm like if I can see if you could show me what a good OSINT report looks like,
I might be able to understand like, okay, I understand like, you know, the setup, especially if somebody doesn't come from that background and they're new into it, they're not going to really know. It's hard sometimes to just throw somebody into the deep end. And I know people do that. Companies do that. But is that the best way to find out, right? Because there's also ways to take people who might not have that experience, but you can build them up to be great analysts.
Matthew Stibbe (07:12.569) Certainly when I'm training writers in my profession, the first thing I have to overcome is the tendency they have to write like academics.
Ritu Gill (07:23.182) Got it. Yes. That's gonna, those are gonna be big challenges, but yeah, for sure.
Matthew Stibbe (07:24.207) Yeah.
Matthew Stibbe (07:30.263) So you mentioned that this was a topic that Osmosis had been working on. So tell me about Osmosis, what role does it play, what does it do, who is in it?
Ritu Gill (07:41.57) Yeah, so Osmosis is an association for OSINT professionals essentially. What we want to do, and I was lucky enough to be named the president this year, which has really been an honour, and we're trying to take OSINT and make it professional. So we want it for professionals, we want to professionalise it. What that means is...
we want people to do OSINT for good. We want people to engage with other people who are doing it in a professional and ethical manner. So ethics is a big part of what we do as well. And we really push for that. We tell people like there's... there are people out there doing OSINT for bad, but we... we don't... we don't follow that. We're all about OSINT for good. We want to be able to show people the potential OSINT has
as an industry and there's many ways we do that. We have conferences throughout the year, we have events throughout the year in different locations which is pretty exciting as well because you get to network with different people and find out hey maybe how did they get into OSINT and then help each other right. It's really about building each other up, how can we support each other, how can we support the OSINT industry into making it something more solidified making it something where more it's co... cohesive and I find yeah, it's been... I feel like it's been one of those things that I, I before even I was associated to Osmosis, you know I remember a number of years ago showing up that Osmosis con and it was such a big, big event for me in that I think it opened up a lot of doors and I just got out there I didn't know anybody I was like, okay, I'm just gonna go by myself and go talk to some people. But it was amazing how many people I was able to connect with.
Matthew Stibbe (09:38.351) Coming from the outside and meeting a few people in the profession through these podcasts, it seems a very small, cohesive and very highly networked body of a profession. It reminds me of when I started doing computer games a million years ago. The Computer Game Developers Conference was like a few hundred people and now it's thousands and thousands of people. It feels like it's at that stage. So how does Osmosis... what work are you doing? You're running this conference in DC in a series of conferences. What else do you do?
Ritu Gill (10:13.454) So another big part of what we do, so we do events and we've done different events throughout this year. I'll just start with, we started with like a career focused event in January. That's how we started off the year, but it takes us to, we've done many, many events. We've spoken at many different events where we're like, hey, this is what we do, but we also offer open source certification, the OSC. So essentially what that is is, often people are taking OSINT training and there's different places you can get training. However, the OSC is a professional certification that someone can say, hey, like I've done this exam. It covers really important aspects of OSINT, I think, when it comes to critical thinking. It talks about tradecraft, it talks about reporting. So all those kind of important parts that we've talked about. And then of course, laws and ethics as well.
So what the OSC is, it's a hundred question exam and it's gonna be, I think, I believe you have a 90 minute constraint where you can answer these multiple choice questions. But at the end of the, if you can pass the exam, you get that certification. And it's not one of those certifications that's out of reach for people. Cause I think that's really important. There are organisations out there where it's out of reach because of cost, or, you know.
Matthew Stibbe (11:41.007) doing a Cisco Doing a Cisco network certification or something that takes five years and tens of thousands.
Ritu Gill (11:44.014) Yeah, exactly. Like it's very reachable. So we often will have an event and we'll be running the OSC at the event. And people can also sign up online for it as well, because we have a OSC frequently asked questions because we get a lot of questions about it. But yeah, it's a really good exam, I think, to test people again. If you can show that you have you've had some open source training.
Because we want people that have experience, but they're like, hey, but I want to be certified. Well, we can help you do that. So that's, that's a really big part of what we do as well.
Matthew Stibbe (12:23.191) Are there sort of professional standards or I don't know, consistent ethical policies or something like that across the industry, not just within Osmosis, but generally? For example, my wife is an accountant, so you know there are very detailed requirements and certifications or accreditations and things. And I'm wondering how far down that road of professionalisation the OSINT profession has gone.
Ritu Gill (12:50.732) Yeah, I think it really depends because I find, because it's open source intelligence and anybody could be doing it. A lot of people are doing it. There's no one kind of, hey, this is, this is what you follow. But like as us, as an organisation, what we've done is we adopted the Berkeley protocol, kind of as a guidepost. So, again, at the end of the day, what we're trying to enforce is ethical use of open source data. So we adopted this kind of protocol that already exists out there and that's what we want to do. But there isn't one that exists that every single person follows. As much as we'd like that, it's impossible to control. But I think we add value because we're able to share like, hey, these are the takeaways. This is something that you might want to...
look at because we do get a lot of people reaching out to us and asking questions in terms of whether it's ethics and laws and any of that kind of stuff.
Matthew Stibbe (13:56.047) Well now, so we have to change to talk about the robotic elephant in the room, AI. How is that changing the profession? How is that impacting on your work as a sort of an industry professional body?
Ritu Gill (14:12.524) Yeah, I think AI, again, it's definitely one of those topics that I'm like, okay, do we talk about it? Do we not talk about it? Because everybody's talking about it. AI is, it's a lot. And it keeps evolving. I feel like every week, you know, I look at something and there's something new, something mind-blowing usually, you know, but I think there's ways we can use it. I think I...
If you know how to incorporate it into your workflow, it could really help you. But it can also be a detriment if you don't. So it's one of those things like I try to stay up on as much as I can, impossible to know everything, but there's tools that might help me with my open source research, which I want to utilise. But there's also knowing its limits. So I think you have to kind of keep yourself in check when it comes to the new
tool that comes out that's AI-based because you have to ask those important questions. What are you feeding into this AI? Is it that type of AI or is it a tool like you have to kind of understand you want to know the mechanics of it a bit before you're using it. But those are important things that you want to think about when you come across different AI tools because there's almost too many out there right now.
Matthew Stibbe (15:32.268) It is, it's a, so how do people go about evaluating different tools and deciding whether to bring them into their toolkit? What are the sort of criteria that you're seeing people use?
Ritu Gill (15:47.054) Yeah, so that's a great question. Actually, one of my topics that I wrote on for our monthly letters was about assessing OSINT tools. And that sounds kind of aligned with what you're asking. But it was like asking the right questions, right? Like even things down to who owns this tool? Where is it from? What country is it? You know, there's certain countries that might have to give up information to their governments. Do you want to be using a tool from there?
Matthew Stibbe (16:00.057) Yeah, very much.
Ritu Gill (16:16.812) So there's lots of questions and that's just general assessing OSINT tools. Specifically AI, I don't think it's any different. Like you still want to make that assessment. Who owns the tool? Where did it come from? How long has it been around? Who are their customers? Is it something super sensitive where it's only for law enforcement or even if it's sensitive, it's open up to the general public. Do you want like, do you, so you do have to ask kind of those questions and make an assessment.
And at the end of the day, think it ultimately comes down to who you are, who you work for. Like, are you government? Are you private industry? And that can have a big impact as well.
Matthew Stibbe (16:55.535) Of course. And what do you think the biggest risks are?
Ritu Gill (17:01.272) Well, I think the risks, I mean, some of the basic ones that come to mind are like what we're feeding into AIs, because it's being used to apparently improve AI, but it's also if you're... Yeah, yeah. So to me, I'm like, wouldn't that make it a little bias if that's what it was doing in a way, but also not even that, just the sensitivity, what is somebody feeding an AI? So if I'm working on a...
Matthew Stibbe (17:11.255) Yeah, you don't want to be training on your data, right? Or your queries.
Ritu Gill (17:27.654) …sensitive report and I decide to upload it to ChatGPT is that like, again, I don't think we should be doing that. But again, how do you control that with all the users on all the people using different AIs? Like, how do you know what's being leaked out and what isn't? Like, it's like, are we just waiting to find out?
Matthew Stibbe (17:49.103) Well that's a, that whole question of...rogue IT, meaning people using their own tools or their own accounts, that's another dimension to this. I might be misremembering this, but I think I read that a judge in America had put a legal hold on all the queries that went into ChatGPT. So you're asking a question to it, and it's not even the government may or may not have access, or open AI may or may not have access, but some state court in Alabama or wherever might have access. And you're like, OK.
How happy am I about that? Thinking about it again in our world where we have client confidential information or market sensitive information in the world of OSINT it's that times 10 or times 100. But are there ways in which people can use it safely? What is required to use AI with confidence?
Ritu Gill (18:48.14) Yeah, think, I mean, thinking about how you're using it, right? Like for me, I do use AI, but there's things like I need to summarise articles, but they're open source articles. It simplifies my life, but we have to remember just because it summarises it, is it accurate? That's a question because there's times where I summarised an article and it wasn't accurate.
So again, like that, it's like fact checking what they're giving you every time, which is almost like double the work. Maybe I should have just read the article in the first place. But so that's the kind of challenge I come across. I find that I use it, but there's been times where I'm like, that's not what that article or that post said. And I know that because I read the post, but I was looking to quickly summarise it. And so things like that, that's what's a little frustrating, but it is getting better, I feel, than where we started with it.
I feel like it's doing things that you know, wasn't able to do before. I mean that's kind of obvious but like even things like those receipts that people are using, you know, creating using images. like previously when I used ChatGPT, when it first came out, it would be really inaccurate when you said give me an image of blah blah, like whatever. Give me an image of an analyst and it would give me an image of a person but then it would have text that was completely jumbled.
Matthew Stibbe (20:10.797) Gibberish text, right?
Ritu Gill (20:10.85) Like the text would be like, Yeah, but now it's almost always accurate. Like it's rare, it sometimes gives you an error, but all you have to say is fix the spelling error and you make note of the word and it fixes it. So that's kind of creepy how quickly it's like, I mean, or how rapidly it's moving.
Matthew Stibbe (20:30.339) I did a webinar two years ago about AI and marketing and I did one a couple of weeks ago and in those two years it's just like what the test I put in before was tell me about Matthew Stibbe and it just completely made up a bunch of stuff and confused me with some other, another Matthew Stibbe is a rap producer in LA would you believe and kind of conflated the two of us and all this stuff. Now, when I did it for this webinar a couple of weeks ago, completely accurate potted biography. It's like, how does it know me this well? And it was quite scary. That just as an example of the progress, it is quite astonishing. Somebody else I interviewed on this was telling me that people are using it for geolocations, upload a picture and say, where do you think this is?
Ritu Gill (21:04.205) Yes.
Matthew Stibbe (21:17.609) And so I'm just playing around with that. I don't know if you've tried that. That stuff is amazing and it does this incredible sort of Sherlock Holmes deductions about pictures, at least the ones I put into it.
Ritu Gill (21:28.554) Yeah, yeah, I know exactly what you're talking about. There are tools based on... AI-based and they do, you know, find... They can typically find like a location. But I think, again, like I tried it out when it first came out, some of those tools, and I was like, okay, well, this is a commonly known location, but I've also heard stories where it's not something that's... You could just reverse image search, but they're finding location, which is mind-blowing, I think.
Matthew Stibbe (21:58.721) It did a pretty good job of actually finding street addresses or places of about a half a dozen pictures I'd uploaded from holidays. Some of which, you you'd expect it to know, you know, you'd... but some of them were quite obscure. And I took a picture of my back garden and it got, it located my back garden to within about a hundred miles, which given that there was no geographical, anyway, it fascinates.
Ritu Gill (22:25.758) Yes. Yeah, see that part That is... that is fascinating. And I think, but then again, you can use that for, I mean, all sorts, if you're doing OSINT for good, that could be very helpful for law enforcement. It could be really helpful to find some things that we need to identify right away.
Matthew Stibbe (22:43.681) And here's the really spooky thing about that picture of the back garden. Actually, it just popped into my head. It said, it divided its answer into two parts. One was, I think you're in the south of England because of the fauna and the rolling hills and whatever, whatever, whatever. But I noticed you've got two Labradors in the picture. So I think this is a picture of your back garden, because you already told me you had two Labradors. Now that, there's a couple of bits of deduction going on there, but there's some deduction about stuff that I had told it in another context.
Ritu Gill (23:05.748) wow.
Matthew Stibbe (23:12.889) that it was remembering.
Ritu Gill (23:12.918) Yes, yeah, because it remembers, right? Yeah, no, exactly. That is so interesting.
Matthew Stibbe (23:19.393) Anyway, we're geeking out about AI. What else are you geeking out about at the moment, Ritu?
Ritu Gill (23:25.004) Yeah, I think like really it's something that I kind of mentioned already, but there's been a lot of focus on report writing lately. Whether, you know, I'm mentoring people or, you know, showing somebody like, hey, this is how, this is how I learned how to do some of this. again, I always say report writing for some people is not the most exciting, but it, matters so much because...
Matthew Stibbe (23:48.525) One of the things, Sorry, go ahead.
Ritu Gill (23:51.146) I was just gonna say because if you can do the research but you can't explain what what the findings are it's almost like what's the point of the research? There's no point so that's why report writing is so important. Go ahead.
Matthew Stibbe (24:02.285) And are there techniques for communicating levels of certainty to people in reports that are important to learn? This is something I've been curious about recently.
Ritu Gill (24:12.846) Yeah, so there's like, I mean, there's confidence levels. Again, depending on where we're taking that from, because it's done maybe slightly different depending on what agency or is it the military, it an intelligence agency? So, but confidence levels do matter in reporting. But again, like if you're doing a brief versus like an OSINT profile, like those might look different. But I think assessing that
Matthew Stibbe (24:16.238) Mm.
Ritu Gill (24:40.62) does matter because like some information that's just like, it's very low on that kind of scale, you're gonna wanna market so they know that, right? And there's a way to do that. there's, yeah, that's also a big part of that. But again, like I go back to who is your customer and do they wanna see it like that?
Matthew Stibbe (25:00.311) Right, but there's a sort of professional responsibility also to communicate when you're not completely certain in order that it doesn't get... Anyway, so listen, we're almost out of time, Ritu, so I'm geeking out about this myself, so I don't want to dive too deeply into it. I've got one last question for you before we wrap up. You're also involved in Forensic OSINT, and tell me what that is and where can people get it?
Ritu Gill (25:29.528) For sure, yeah. Forensic OSINT is a Google Chrome extension I co-founded. It's for OSINT investigators who need to save online content. So, another thing I always say is, I'm like, if you don't capture your findings, they could be gone tomorrow. And that's happened, know, lessons learned over the years, but like, sometimes you think, I'll just log in tomorrow, it'll be here. No, what if the target deletes something? What if the platform deletes it? So,
Forensic OSINT is meant for you to capture your online findings, but it is meant to capture it and preserve it as evidence. So it is forensic grade. So it hashes everything. It is essentially putting that stamp that everything that you've done has not been altered and you can take it to court and it will hold up in court.
Matthew Stibbe (26:20.296) Fascinating and where do people get this if they're looking for it?
Ritu Gill (26:23.36) Yeah, They can go to forensicosint.com. That's our website. And all the details are there, but also people can reach out directly to us to ask about it. But yeah, that's essentially, we have a lot of OSINT people that use our tool, but it's all about preservation of your data, right? Of that, you know, whether it's a Facebook timeline, whether it's an Instagram profile, that's what we do. That's like kind of the bread and butter
of what we do and yeah, forensicosint.com is where they can find it.
Matthew Stibbe (26:55.439) Fantastic. Well, that's a great place to bring this episode to a close. Ritu, thank you so much for being a wonderful guest and for all these interesting things to talk about.
Ritu Gill (27:05.56) Thank you, Matthew. I really appreciate you having me on the podcast. This has been a great chat.
Matthew Stibbe (27:11.139) It's been my pleasure. So for more about Osmosis please visit osmosisinstitute.org and if you'd like more information about OSINT, about Blackdot Solutions or their product Videris please visit blackdotsolutions.com. Thank you very much for listening and goodbye.
