What is a Sock Puppet? A fake online persona used for OSINT investigations to maintain anonymity and access information.
The Sock Puppet Lifecycle:
Step 1: Persona Development
Name: Choose realistic name for target region Age: 25-45 (most versatile) Location: Major city (blend in) Occupation: Generic (marketing, sales, consultant) Interests: Common hobbies (travel, food, fitness)
Persona Worksheet:
Basic Information: - Full Name: Sarah Michelle Johnson - DOB: March 15, 1994 - Location: Austin, Texas - Occupation: Digital Marketing Coordinator Background Story: - Originally from: Columbus, Ohio - Education: Ohio State University (Marketing, 2016) - Moved to Austin: September 2019 - Why: Job opportunity in tech sector Interests: - Professional: Digital marketing, SEO, content creation - Personal: Hiking, photography, coffee shops - Entertainment: True crime podcasts, Marvel movies
Step 2: Supporting Infrastructure
Email Account Creation:
ProtonMail Account:
- No phone required - Access via Tor - Encrypted - Professional appearance
Gmail Backup:
- Use sock puppet phone number - Required for some platforms - Enable 2FA with virtual number
Phone Number Options:
Google Voice: Free, US numbers
TextNow: Free with ads
Burner: Paid, more features
MySudo: Multiple identities
Step 3: Profile Photos
AI-Generated Photos:
1. Visit: thispersondoesnotexist.com 2. Refresh until suitable image 3. Save multiple variations 4. Use reverse image search to verify uniqueness
Photo Preparation:
Main profile photo
2-3 casual variations
Professional headshot style
Different backgrounds/lighting
Step 4: Building Credibility
Week-by-Week Building Plan:
Week 1: Foundation
Create email accounts
Set up phone number
Create password manager entry
Document all credentials
Week 2: Primary Platforms
Create LinkedIn profile (basic info)
Set up Facebook (privacy settings high)
Twitter/X account (follow news/interests)
Week 3: Engagement
Like/share relevant content
Join 2-3 relevant groups
Comment thoughtfully (build history)
Week 4: Expansion
Add connections strategically
Post original content
Instagram if needed
Week 5+: Maintenance
Regular activity (not daily)
Consistent persona voice
Build connection network
Firefox Privacy Configuration:
Essential about:config Changes:
privacy.resistFingerprinting = true privacy.firstparty.isolate = true privacy.trackingprotection.enabled = true network.cookie.cookieBehavior = 1 geo.enabled = false media.peerconnection.enabled = false
Must-Have Browser Extensions:
uBlock Origin
Blocks ads and trackers
Reduces fingerprinting
Improves performance
Privacy Badger
Learns to block invisible trackers
Developed by EFF
Complements uBlock
HTTPS Everywhere
Forces encrypted connections
Prevents eavesdropping
Automatic operation
User-Agent Switcher
Mask browser identity
Appear as a different OS/browser
Useful for compatibility
Canvas Blocker
Prevents canvas fingerprinting
Randomises canvas data
Multiple protection modes
VPN Selection Criteria:
No-logs policy (verified)
Multiple country options
Kill switch feature
Allows Tor usage
Reasonable speed
Recommended Approach:
Internet → VPN → Tor → Target Site
↓
(Your ISP sees VPN)
↓
(VPN sees Tor)
↓
(Exit node sees target)Tor Browser Configuration:
Download from the official site only
Never modify Tor Browser
Check for updates regularly
Understand limitations (no plugins)
Password Manager Setup:
Separate vault for OSINT work
Strong master password
2FA enabled
Regular backups
Secure Note Organization:
/OSINT Credentials/
/Sock Puppets/
/Sarah Johnson/
- Email credentials
- Social media logins
- Security questions
- Phone numbers
- Important dates
/Tool Accounts/
- API keys
- Service logins
/Investigation Notes/
- Active cases
- Archived dataFolder Structure Template:
/OSINT_Operations/
/Tools/
/Scripts/
/Applications/
/Documentation/
/Investigations/
/Active/
/Case_001_CompanyName/
/Raw_Intelligence/
/Processed_Data/
/Reports/
/Evidence/
/Archived/
/Sock_Puppets/
/Active_Personas/
/Retired_Personas/
/Templates/
/Report_Templates/
/Checklists/1. Using Real Identity
Never log into personal accounts
Don't use your real email
Avoid your home IP address
2. Poor Sock Puppet Management
Inconsistent persona details
Unrealistic behaviour patterns
Cross-contamination between puppets
3. Inadequate Documentation
Not recording sources
Missing timestamps
Losing track of credentials
4. Security Lapses
Forgetting VPN
Reusing passwords
Mixing personal and OSINT work