Skip to main content

Terminal-native passive OSINT CLI for local-first public-source investigation workspaces

Project description

REKOS

REKOS quickstart

REKOS is a terminal-native passive OSINT CLI for local-first public-source investigation workspaces. It helps organize targets, evidence, source outputs, entities, relationships, normalized findings, and correlation-quality scores in a SQLite-backed case folder.

REKOS is designed for passive public-source workflows:

  • Public-source investigation workspace
  • Target and evidence organizer
  • Username, profile, domain, URL, and indicator correlation tool
  • Local-first OSINT case workspace
  • No login automation, bypass, credential collection, or active exploitation

A case is a local workspace for one public-source research thread. Cases are stored under ~/rekos_cases/<case_name> by default. Each case keeps its own SQLite database, source outputs, evidence artifacts, graph records, findings, and exports.

Installation

Install with pipx:

pipx install rekos

Users run REKOS commands such as rekos investigate username <case> <username> and rekos investigate domain <case> <domain>. REKOS calls available passive sources through its source adapters and continues cleanly when optional external tools are absent.

Install from a local checkout:

git clone <repo-url>
cd rekos
pipx install .
rekos --help

For development, use an editable install:

git clone <repo-url>
cd rekos
python -m venv .venv
. .venv/bin/activate
python -m pip install -e ".[dev]"
pytest
rekos --help

Optional Integrations

  • sherlock enables the sherlock_username source when the sherlock command is installed
  • maigret enables the maigret_username source when available in the REKOS runtime
  • exiftool or mediainfo for file metadata collection
  • Playwright is optional for URL screenshots; HTTP snapshots still work without it

Users always run rekos, not Sherlock or Maigret directly. rekos investigate username <case> <username> automatically uses the username sources available in the current environment.

Quick Start

rekos new-case social_test
rekos investigate username social_test username
rekos findings social_test
rekos score social_test
rekos graph-summary social_test
rekos export-case social_test --output social_test.zip

Normal workflow:

  1. Create a case with rekos new-case.
  2. Add or investigate a target with rekos investigate username, rekos investigate domain, or rekos snapshot-url.
  3. Review normalized results with rekos findings.
  4. Score correlation quality with rekos score.
  5. Inspect relationships with rekos graph-summary or rekos list-entities.
  6. Export the workspace with rekos export-case.

Most users only need these commands:

rekos quickstart
rekos new-case acme-osint
rekos investigate username acme-osint alice.example
rekos investigate domain acme-osint example.com
rekos snapshot-url acme-osint https://example.com/profile/alice
rekos findings acme-osint
rekos score acme-osint
rekos search acme-osint example.com
rekos graph-summary acme-osint
rekos export-case acme-osint --output ./acme-osint.zip

Users run only rekos. Sherlock and Maigret are optional integrations that REKOS orchestrates internally when available.

During rekos investigate username <case> <username>, REKOS generates safe username variants, runs available passive username sources, stores raw source output, normalizes discovered profile URLs into findings, updates the entity graph, records timeline events, and computes correlation-quality scores. Results are correlation indicators, not proof of identity ownership.

During rekos investigate domain <case> <domain>, REKOS runs passive DNS, RDAP with registry/WHOIS fallback, HTTP/HTTPS endpoint checks, TLS certificate metadata collection, and crt.sh certificate transparency lookup when available. It records registration evidence, DNS records, web endpoint metadata, redirects, TLS certificate summaries, SPF/mail-security summaries, provider hints from TXT records, and certificate transparency findings.

Domain, URL, and snapshot workflows reject localhost, private/internal IP ranges, link-local addresses, metadata-service IPs, reserved, multicast, and unspecified IP targets. REKOS is for public-source targets only.

How REKOS Works

  • Target input: user-provided usernames, domains, URLs, files, notes, and indicators are stored in a local case.
  • Source orchestration: REKOS runs passive adapters such as username sources, DNS, RDAP/WHOIS fallback, web/TLS checks, crt.sh, Wayback, metadata tools, and HTTP snapshots when available.
  • Findings normalization: raw source output is converted into normalized findings such as discovered profiles, URLs, domains, metadata records, archive records, and registration records.
  • Graph correlation: entities and relationships connect usernames, profiles, domains, URLs, files, and notes.
  • Quality scoring: REKOS scores correlation quality from source confidence, exact or normalized matches, duplicate source confirmation, evidence presence, and graph relationships.
  • Evidence export: raw outputs, artifacts, reports, SQLite data, and manifests can be exported with rekos export-case.

Supported Sources

Source Target types Dependencies Notes
sherlock_username username sherlock binary Runs Sherlock with safe subprocess arguments and parses public profile URLs.
maigret_username username optional maigret package/tool Runs Maigret when installed; REKOS continues without it.
wmn_username username none Checks local public profile URL templates with conservative passive HTTP validation.
http_snapshot url none Captures public HTTP response artifacts and optional Playwright screenshot.
rdap_domain domain none Uses public HTTPS RDAP lookup with registry and WHOIS fallback where available.
dns_domain domain none Fetches public DNS A/AAAA/MX/NS/TXT records and extracts SPF/provider hints.
web_domain domain none Performs passive HTTP/HTTPS endpoint and TLS certificate metadata checks.
crtsh_domain domain none Queries the public crt.sh certificate transparency endpoint.
wayback_url url, domain none Queries public Wayback CDX data and records archive URLs.

Source utilities:

rekos sources list
rekos sources check
rekos sources run acme-osint rdap_domain example.com

Core Commands

rekos add-entity acme-osint --type domain --value example.com
rekos relate-entities acme-osint --from <entity_uuid> --to <entity_uuid> --type related_to --confidence medium
rekos list-targets acme-osint
rekos list-sources acme-osint
rekos show-investigation acme-osint
rekos report acme-osint --format md

Safety And Ethics

REKOS is passive-only OSINT tooling. Use it only for lawful, authorized, and ethical public-source research.

REKOS must not be used for:

  • Logging into accounts or automating authenticated sessions
  • Bypassing access controls, paywalls, CAPTCHAs, bot protection, or rate limits
  • Credential collection, phishing, account abuse, or social engineering
  • Exploitation, destructive operations, or aggressive crawling
  • Claiming identity ownership from correlation results

Scores are correlation-quality indicators only. A high score means stronger local correlation support, not proof of identity, ownership, compromise, or intent.

Local Data Model

REKOS stores:

  • Case metadata in SQLite
  • Targets, entities, relationships, notes, timeline events
  • Raw source outputs under exports/
  • Evidence and snapshot artifacts
  • Normalized findings with correlation-quality scores
  • Case ZIP exports with manifest data

Development

python -m pip install -e ".[dev]"
pytest
rekos --help

Before submitting a change:

pytest
python -m compileall rekos
git diff --check

Roadmap

  • More passive source adapters with explicit safety boundaries
  • Stronger report templates and case export validation
  • Improved graph summaries and finding explainability
  • Better import/export interoperability
  • Optional UI views while keeping the CLI and local-first storage as the core

License

MIT License. See LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

rekos-1.3.0.tar.gz (69.3 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

rekos-1.3.0-py3-none-any.whl (60.3 kB view details)

Uploaded Python 3

File details

Details for the file rekos-1.3.0.tar.gz.

File metadata

  • Download URL: rekos-1.3.0.tar.gz
  • Upload date:
  • Size: 69.3 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for rekos-1.3.0.tar.gz
Algorithm Hash digest
SHA256 83d5e0b9d83117d3c76d9f2571448c6ead5c8ac9581d48e8504cc5419055726b
MD5 bd98d9c684cc26286f49b597eba1b3d5
BLAKE2b-256 7b5ee795884aba85a01bd931f46c5775f87723d82c66d46db69721e448121594

See more details on using hashes here.

File details

Details for the file rekos-1.3.0-py3-none-any.whl.

File metadata

  • Download URL: rekos-1.3.0-py3-none-any.whl
  • Upload date:
  • Size: 60.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.12.13

File hashes

Hashes for rekos-1.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 597f27a1f9502bdfab46f77f2f761f0feda1867447d91ec61e97cce734ab8bf8
MD5 fe58edd1e9f2e47c71296b6b112b5716
BLAKE2b-256 9953131e6cdde46a0fb10f8b186b50334e1d2dca2c803c77dff26ab4ab1f5b08

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page