OPSEC Checklist for Investigators

Facebook Tweet Pin

An OPSEC checklist is a structured set of operational security controls that investigators apply before, during, and after a search to prevent identity exposure, protect investigative integrity, and ensure the subject remains unaware of the research. These controls exist because modern research platforms, data brokers, and digital infrastructure generate persistent records of investigative activity — records that can be subpoenaed, shared, or used to alert a subject. Professional investigators, OSINT practitioners, and due diligence researchers use pre-search checklists to systematize controls that are easy to skip under time pressure. This page provides a complete, print-ready checklist organized by phase and category, drawn from the Complete OPSEC Guide for Investigators.

Skipping one item on this list does not always produce an immediate consequence. That is what makes OPSEC failures dangerous — the exposure often surfaces days or weeks later, after the investigation has progressed.

How to use this checklist: Work through Phase 1 before any search session begins. Reference Phase 2 during active research. Complete Phase 3 before closing the session. The category breakdowns inside each phase let you jump directly to what you need on mobile.

Legal Notice

This checklist is intended for lawful investigative research only — due diligence, background verification, locating missing persons, and legitimate OSINT work. Nothing here facilitates harassment, stalking, or evasion of law enforcement. Know your jurisdiction before conducting any investigation.

Phase 1 — Pre-Search Setup

Complete every item in this phase before opening any research platform or running any query. This phase is non-negotiable. A single skipped control here can compromise everything that follows.

🌐 Network

[ ] VPN is active and confirmed — check your IP at a leak-test site before proceeding
[ ] VPN provider is no-logs (Mullvad or ProtonVPN recommended — see OPSEC Tools for Investigators)
[ ] You are not on a home, work, or mobile carrier connection without VPN
[ ] DNS leak test completed — confirm DNS is routing through VPN, not your ISP
[ ] WebRTC leak check completed — browser is not exposing your real IP through WebRTC
[ ] If using Tor: VPN is active before Tor connection (VPN → Tor, not Tor → VPN)

Key takeaway: Your IP address is the most basic and most exploited exposure vector. If VPN is not confirmed active before the first query, stop. Every search after that point is logged to your real location.

🖥️ Browser

[ ] Dedicated investigative browser is open — not your personal or work browser
[ ] Browser profile is clean — no saved passwords, autofill, or personal accounts
[ ] Cookies and cache cleared from previous session
[ ] uBlock Origin installed and set to strict mode
[ ] privacy.resistFingerprinting enabled (Firefox: check in about:config)
[ ] JavaScript disabled or restricted for high-risk platforms
[ ] Browser is not signed into any personal account (Google, Apple, Microsoft)
[ ] No browser extensions beyond privacy tools — extensions expand your fingerprint

Key takeaway: A VPN masks your IP. It does not mask your browser fingerprint. Modern platforms can identify you across sessions through screen resolution, installed fonts, timezone, and plugin inventory — even if your IP changes every session.

🪪 Identity

[ ] You are not logged into any people-search platform (BeenVerified, Spokeo, Intelius, TruthFinder)
[ ] Research email account is active if platform registration is required — confirm it has no connection to your real identity
[ ] Research email was created through ProtonMail or Tutanota and accessed only via VPN
[ ] No personal social media accounts are open in any browser tab or window
[ ] If using a research persona: persona details are consistent and documented separately

Key takeaway: Logging into a personal account on any research platform creates a permanent, platform-verified record of your search history. That record can be subpoenaed. One login erases every other OPSEC control you have in place.

💻 Device

[ ] You are on a dedicated research device, or a fully isolated browser profile on a personal device
[ ] Device is not connected to a corporate network or monitored enterprise environment
[ ] No personal accounts are active on the device during the session
[ ] Device location services are off
[ ] If using a VM: VM is clean, snapshot is current, host machine VPN is active

Key takeaway: A clean browser on a compromised device is not secure. Corporate networks log traffic independently of the platforms you visit. If your device is monitored, every search is recorded at the network level regardless of what the platform logs.

💳 Payment (If Accessing Paid Platforms)

[ ] Payment method is a prepaid card purchased with cash, or a privacy-focused virtual card
[ ] Payment method has no connection to your real name, address, or bank account
[ ] Subscription account (if required) was created with research email, not personal email
[ ] Billing address used is not your real address

Key takeaway: A real payment method attached to a people-search subscription is a direct identity link. It overrides every other anonymity control and creates a legally discoverable record connecting you to the account and its search history.

Phase 2 — During the Search

These controls apply during an active research session. The goal is to maintain the environment you built in Phase 1 without introducing new exposure points.

🔍 Search Discipline

[ ] Exhaust no-account, no-alert sources first: TruePeopleSearch, direct public records, Google operators
[ ] Check subject alert risk before opening any paid platform — refer to OPSEC for Background Checks for platform-by-platform breakdown
[ ] High-risk platforms (BeenVerified, TruthFinder, Intelius) are last resort only
[ ] Do not search the same subject repeatedly from the same session if using behavioral-tracking platforms (Spokeo)
[ ] Do not click “view full report” links from email notifications — these track your IP on click
[ ] Do not open research platform links from a personal email client

Key takeaway: The order in which you search matters. Starting with low-risk, no-account sources preserves the subject’s unaware state longer. Triggering a high-risk platform early — before extracting what free sources can provide — creates unnecessary exposure.

📁 Evidence and Archiving

[ ] Archive pages before running deeper searches — use archive.today or similar
[ ] Screenshots include full URL and timestamp
[ ] File naming convention is consistent and does not contain subject’s real name in the filename (operational security)
[ ] Metadata has been stripped from any downloaded files — check with ExifTool before storing (see Evidence Handling & Metadata for Investigators)
[ ] Research notes are stored in an encrypted location, not in a cloud service connected to your personal identity

Key takeaway: Evidence collected without proper archiving and metadata hygiene can be challenged in legal proceedings and can inadvertently expose investigative method. Archive before you go deeper — pages disappear and platforms update records.

🚫 What Not to Do Mid-Session

[ ] Do not open personal email, social media, or accounts in any tab during an active session
[ ] Do not copy research findings into a personal notes app (Apple Notes, Google Keep, etc.)
[ ] Do not share preliminary findings via personal messaging apps
[ ] Do not allow the browser to save passwords or autofill during the session
[ ] Do not disable VPN mid-session for any reason — if VPN drops, stop the session immediately

Key takeaway: Mid-session lapses are the most common OPSEC failures. Opening a personal tab, copying notes to a personal app, or allowing the browser to prompt for password saving can re-associate your real identity with investigative activity in a single action.

Phase 3 — Post-Search Cleanup

Do not skip this phase. Post-search cleanup prevents session data from persisting into future sessions and reduces the risk of residual exposure.

🧹 Browser Cleanup

[ ] Cookies and cache cleared
[ ] Browsing history deleted for the session
[ ] Any downloaded files moved to encrypted storage — not left in the default Downloads folder
[ ] Browser closed fully — not just minimized
[ ] If using a VM: revert to clean snapshot or shut down and do not save state

🗂️ File and Data Handling

[ ] Research files are stored in an encrypted folder or drive — not on an unencrypted desktop
[ ] Any notes taken are in an encrypted notes application or local document — not a cloud-synced personal app
[ ] Metadata stripped from any images or documents collected during the session
[ ] Subject name and case details are not in unencrypted filenames

🔌 Network Cleanup

[ ] VPN disconnected after session (do not leave it running unnecessarily across different activities)
[ ] Confirm no research tabs are open or restoring in browser on next launch
[ ] If using a dedicated research device: device powered off or network disabled between sessions

✅ Final Confirmation

[ ] All findings archived with timestamps
[ ] Evidence chain of custody documented if case may go to litigation
[ ] No research accounts left logged in
[ ] Next session will start from Phase 1 — not assumed to inherit today’s clean setup

Key takeaway: OPSEC is not a one-time configuration. Each session starts from zero. Assuming yesterday’s setup is still intact is how residual cookies, cached credentials, and persistent fingerprints accumulate into an exposure.

Quick-Reference Card (Mobile / Print)

For on-the-go use. Run through this before every session — full phase breakdown above for detail.

Before You Search

[ ] VPN active + leak tested
[ ] Dedicated browser, no personal accounts
[ ] Cookies and cache cleared
[ ] Not logged into any research platform
[ ] Research identity ready if needed
[ ] Payment method is anonymous if using paid platforms

While You Search

[ ] Free sources first — TruePeopleSearch, public records, Google operators
[ ] High-risk platforms last resort only
[ ] Archive before going deeper
[ ] No personal tabs open mid-session
[ ] VPN stays on for entire session

After You Search

[ ] Clear cookies, cache, history
[ ] Move files to encrypted storage
[ ] Strip metadata from downloads
[ ] Close browser fully
[ ] Document evidence chain if case is active

How This Checklist Fits Your Workflow

This checklist is a condensed operational layer drawn from the full OPSEC Guide for Investigators. It is designed to be used at the start of every session — not read once and remembered.

The three-phase structure maps directly to how a real investigation session runs: setup, execution, and teardown. Investigators who skip Phase 1 because they “already have their VPN set up” account for the majority of avoidable OPSEC failures. Investigators who skip Phase 3 because the session is finished introduce the residual exposure that surfaces in the next session.

For platform-specific OPSEC controls — BeenVerified, Spokeo, Whitepages — see OPSEC for Background Checks. For a full breakdown of the tool stack behind each checklist item, see OPSEC Tools for Investigators. For the failure scenarios this checklist is designed to prevent, see OPSEC Mistakes Investigators Make.

Download the Printable Version

This checklist is available as a one-page PDF — formatted for print and mobile, with checkbox fields ready to use.

Use this before every investigation session to ensure your search environment is clean, anonymous, and operationally sound before the first query runs.

→ Download the Free OPSEC Checklist for Investigators

No account required. Instant PDF download.

Related Resources

Complete OPSEC Guide for Investigators — Full framework and methodology
OPSEC for Background Checks — Platform-specific OPSEC: BeenVerified, Spokeo, Whitepages
OPSEC Tools for Investigators — VPN comparison, browser setup, metadata tools
OPSEC Mistakes Investigators Make — What goes wrong and why
Evidence Handling & Metadata for Investigators — Chain of custody and file hygiene