This repository is actively maintained by Trace Labs staff.

PRs are always welcome. We do, however, ask that you read the CONTRIBUTING.md guide before opening a PR.

If you want to recommend a tool to add to the VM, report a bug, or have any issues, feedback, or questions about the VM, please open an issue.

The repository includes a recipe file to build a Linux OSINT Distribution for Trace Labs based on the Kali Linux kali-vm script - https://gitlab.com/kalilinux/build-scripts/kali-vm

Use this if you just want to import and go.

• GitHub Releases (canonical):
  https://github.com/tracelabs/tlosint-vm/releases (2024 VM release)

• Mirror (Google)

  • Click here to download the VirtualBox OVA (2025 VM Release)

  • Click here to download the VMware OVA (2025 VM Release)

  • Checksums:

  • VMware: 6f3323b01afff853a35bcfb7e98be751fd17922006f453da2627963975949289

  • VirtualBox: a6d841c19ed55e5d4338280724238ea5b80e57a33d9462efda24bce965d1666d

# Linux/macOS
sha256sum <downloaded-file>.ova

# Windows (PowerShell)
Get-FileHash .\<downloaded-file>.ova -Algorithm SHA256

• VirtualBox: File → Import Appliance… → select .ova
• VMware (Workstation/Player/Fusion): File → Open… → select .ova

Default login

username: osint password: osint

Use this if you want a lean Kali image and then install/update OSINT tools + Firefox hardening on demand.

Note: tlosint-tools.sh is a standalone script that is not part of the VM build process. It's designed to be downloaded and run manually by end-users on any Kali or Debian-based system to install OSINT tools on-demand. This keeps the VM image size small while giving users flexibility to customize their toolset.

Download the raw file, not the GitHub "blob" page.

# Inside Kali (or your Debian-based VM)
cd ~/Desktop  # or any folder you prefer

# Fetch the script (RAW URL)
wget https://raw.githubusercontent.com/tracelabs/tlosint-vm/main/scripts/tlosint-tools.sh

#Give the script executable permission
chmod +x tlosint-tools.sh

#Execute the script
./tlosint-tools.sh

• Refreshes the Kali archive keyring and applies updates
• Installs a curated OSINT toolset (Shodan CLI, Sherlock, PhoneInfoga, SpiderFoot, sn0int, Metagoofil, Sublist3r, steghide/stegseek, StegOSuite, exiftool, tor, torbrowser-launcher, translate-shell, etc.)
• Adds TraceLabs CTF Contestant Guide (PDF) and a Self-Heal & Update shortcut to the Desktop
• Applies Firefox hardening (delete cookies/history on shutdown, block geolocation/mic/camera prompts by default, stronger tracking protection, preload OSINT bookmarks)

Releases follow a scheduled cadence. Releases are owned by assigned maintainers—usually Trace Labs staff. Release owners and timelines are proposed and confirmed during our quarterly planning meetings.

See RELEASES.md for more details.

These are pre-generated bundles that can either import in to Virtualbox or VMWare. They are generated with the code in the main branch of this repo with no interference from us. The goal here is to produce a finished product but give the users insight in to the "recipe" used to build it.

After you've downloaded the release that applies to you, it should be as simple as importing it in to your hypervisor.

https://github.com/tracelabs/tlosint-vm/releases

osint osint

Note taking app Obsidian comes bundled with the VM. There is an icon on the desktop to launch Obisidian or you can run the appimage located in the home directory. We've already set up a vault for you called "TL Vault" that lives on the Desktop. The first time you run Obsidian open that vault folder. The default theme is the Trace Labs theme.

If you'd rather build your own from source or modify the version we've released then building your own is fairly straight forward. (Note: You don't need to do this if you've already downloaded a release and imported to hypervisor)

We highly reccommend that you do your build in Docker. This assumes that you already have Docker installed on your system and that you are running the build on an Intel based chip.

With that in mind you can:

git clone https://github.com/tracelabs/tlosint-vm
cd tlosint-vm
chmod +x build-in-container.sh
./build-in-container.sh

You can explore the different build options with -h flag.

The majority of OSINT tools no longer come pre-packaged with the VM. There is an option to download them via a helper script. This keeps the size of the release small enough to build and host on GitHub.

Note: The tlosint-tools.sh script is a standalone utility that is not executed during the VM build process. It's provided as a convenience script for users who want to install OSINT tools on-demand after importing the VM.

If you want to install the tools using our helper script, run the tlosint-tools.sh script found in the scripts/ folder. Example:

• Open a terminal
• From the repository root (or wherever you saved the script), make it executable and run it:

chmod +x scripts/tlosint-tools.sh
./scripts/tlosint-tools.sh

Resources

• Trace Labs OSINT Field Manual
• Trace Labs CTF Contestant Guide

Reporting

• TJ Null's OSINT Joplin template

Browsers

• Brave Browser
• Firefox ESR
• Tor Browser

Data Analysis

• DumpsterDiver
• Exifprobe
• Stegosuite

Domains

• Domainfy (OSRFramework)
• Sublist3r

Downloaders

• Browse Mirrored Websites
• Metagoofil
• WebHTTrack Website Copier
• Youtube-DL

Email

• Checkfy (OSRFramework)
• Infoga
• Mailfy (OSRFramework)
• theHarvester
• h8mail

Frameworks

• Little Brother (Archived)
• OSRFramework
• sn0int
• Spiderfoot
• Maltego
• OnionSearch

Phone Numbers

• Phonefy (OSRFramework)
• PhoneInfoga

Social Media

• Instaloader
• Twint (Archived)
• Searchfy (OSRFramework)
• Tiktok Scraper
• Twayback
• Stweet

Usernames

• Alias Generator (OSRFramework)
• Usufy (OSRFramework)

Other Tools

• Photon
• Sherlock
• Shodan
• Joplin

Firefox

• Delete cookies/history on shutdown
• Block geo tracking
• Block mic/camera detection
• Block Firefox tracking
• Preload OSINT Bookmarks

PRs are welcome. We ask that you PR in to the Dev branch.

See CONTRIBUTING.md for more details.