01
What it is
Maritime OSINT is the practice of tracking vessels, tracing ownership, and documenting incidents using publicly accessible data, without access to classified or proprietary systems. It covers the full investigative arc from AIS position data through corporate registry research, port inspection records, casualty documentation, and sanctions screening.
The tools are public. The data is structured. Journalists, investigators, and compliance analysts use maritime OSINT to verify vessel locations, identify the real owners behind flag-of-convenience registrations, document flag-state failures, and build evidentially sound records of sanctions evasion.
This guide covers the complete workflow, from finding a ship using AIS data through to chain of custody discipline. Every tool listed is free or has a free tier unless stated otherwise.
When to use this guide
- Tracking a vessel's movements near a conflict zone, sanctioned port, or area of investigative interest.
- Verifying official accounts of a maritime incident against the navigational record.
- Tracing the beneficial owner behind a flag-of-convenience vessel or opaque corporate structure.
- Identifying AIS gaps or spoofing patterns that indicate potential sanctions evasion.
- Documenting ship-to-ship transfers linked to sanctioned cargo or illicit trade networks.
02
How to track and investigate a vessel using open sources
The complete workflow: from establishing vessel identity through AIS tracking, ownership tracing, port inspection records, incident reconstruction, and sanctions screening.
The following tools cover the full maritime OSINT workflow. Free tools are listed before paid.
MarineTraffic: Real-time AIS position data and historical voyage playback. Free tier available; extended history and satellite AIS require a paid subscription.
VesselFinder: Independent AIS source for cross-referencing MarineTraffic data. Free tier available. Use alongside MarineTraffic and flag any positional discrepancies.
Equasis: IMO-endorsed registry linking vessels to registered owner, ship manager, flag state, class society, and port state control inspection history. Free with registration.
Global Fishing Watch: Independent AIS reception and gap detection. Free. Particularly useful for identifying dark vessel periods and cross-referencing gaps against MarineTraffic.
OpenCorporates: Corporate registry search for tracing ownership chains across jurisdictions. Free and paid tiers.
ICIJ Offshore Leaks: Searches the Panama Papers and related leaked datasets by company and individual name. Free.
OpenSanctions: Cross-references individuals and entities against multiple international sanctions regimes simultaneously. Free.
TankerTrackers: Specialist ship-to-ship transfer tracking with satellite imagery integration. Paid. Relevant for sanctions evasion investigations involving crude oil and petroleum products.
Before you begin
Stop at the login
Most tools in this guide are publicly accessible without registration. Equasis requires a free account; use a dedicated research email address, not your primary address. If any platform prompts you to log in before retrieving data you expect to be public, stop and use an alternative source.
Legal considerations
All techniques in this guide use publicly accessible data. Do not interact with vessel systems or attempt to access non-public maritime databases. Sanctions research involving designated individuals or entities may carry legal implications depending on your jurisdiction; consult counsel before publishing findings that identify sanctioned persons.
The method
01
Anchor on the IMO number
Goal · Establish a permanent vessel identifier before querying any registry
Vessel names change. Flags change. Ownership changes. The IMO number does not. It is a permanent seven-digit identifier assigned at build that survives all of these. If you have a vessel name but not an IMO number, retrieve it from MarineTraffic or Equasis before doing anything else. Every subsequent query in this workflow should be anchored to the IMO number, not the vessel name.
02
Query AIS tracking platforms and cross-reference
Goal · Establish the vessel's position history and identify any gaps
Search MarineTraffic by MMSI or IMO number and record the current position and voyage history. Cross-reference the same vessel on VesselFinder and flag any positional discrepancies between the two platforms. Note all intervals where AIS transmission ceases for more than two hours in open water; these are dark periods requiring explanation. AIS position reflects transponder output, not verified GPS, and relay stations near coastlines can introduce a lag of up to 30 minutes.
03
Investigate dark periods using independent sources
Goal · Determine whether an AIS gap is technical failure or deliberate concealment
For each dark period, apply a speed plausibility test: calculate whether the vessel could physically have reached its post-gap position given elapsed time and vessel class speed. An implausible speed indicates positional falsification. Cross-reference the gap against Global Fishing Watch, which maintains independent AIS reception. A gap appearing on MarineTraffic but not Global Fishing Watch indicates selective transmission rather than a technical fault. For nocturnal gaps in known transfer zones, NASA FIRMS VIIRS nighttime light detection provides a third independent position signal.
04
Trace ownership through public registries
Goal · Identify the natural person or entity with ultimate control of the vessel
Query Equasis to retrieve the registered owner, ship manager, flag state, and inspection history. The registered owner is frequently a single-vessel shell company; the ship manager is often the entity with real operational accountability. From the registered owner, trace the corporate chain through OpenCorporates and the relevant national registry, following director and shareholder links at each layer. Run all identified individuals and entities through OpenSanctions, the OFAC SDN List, and the UN Consolidated List. Screen company and individual names against ICIJ Offshore Leaks for appearances in major leaked datasets.
05
Check port state control inspection records
Goal · Establish the vessel's compliance and detention history as independent evidence of operator quality
Port state control (PSC) inspection records are publicly available through regional memoranda of understanding and aggregate through Equasis. Retrieve the full inspection history and note deficiencies and detentions separately; a deficiency is a noted fault, a detention means the vessel was held in port pending rectification of serious deficiencies. Patterns of recurring deficiencies across multiple inspections indicate systemic management failure. For vessels operating in US waters, the US Coast Guard PSIX database provides independent inspection records not always captured by other MoUs.
06
Reconstruct incidents against the navigational record
Goal · Compare the official incident narrative against AIS data, weather records, and port documentation
Retrieve formal casualty filings from the IMO GISIS marine casualties module and EMSA EMCIP. Rebuild the AIS track covering the 30-minute window before and after the incident using MarineTraffic or Fleetmon. Pull historical meteorological data for the incident coordinates from Weather Underground. Discrepancies between the official narrative and the physical record are the investigative finding. Download AIS replay data and casualty report PDFs immediately; free-tier archive access ages off and official documents are sometimes removed.
07
Identify sanctions evasion through ship-to-ship transfer analysis
Goal · Link AIS gap evidence to known transfer zones and satellite confirmation
Screen the vessel against sanctions lists using the vessel name, IMO number, and all former names. Map AIS gaps against known ship-to-ship (STS) transfer anchorage areas: the Laconian Gulf, the Strait of Malacca approaches, and West African offshore zones are established transfer locations. Where a gap coincides with a known STS zone, seek satellite confirmation through TankerTrackers. Where an STS event is confirmed, retrieve the second vessel's IMO number and apply the same sanctions screening and AIS gap analysis to the transfer partner. Do not publish vessel coordinates that could alert operators to surveillance.
03
What to watch for in maritime OSINT
Common false positives, evidentiary traps, and chain of custody requirements specific to maritime investigation.
Dark periods as proof of wrongdoing: AIS gaps are the most commonly misread signal in maritime OSINT. Technical failure is the most common cause of a dark period; transponder faults, relay station outages, and port-entry requirements that mandate AIS off all produce gaps indistinguishable from deliberate concealment at first inspection. Verifying check: Apply the speed plausibility test for each gap. Cross-reference against Global Fishing Watch. A gap appearing on one platform but not the other indicates selective transmission; a gap appearing on both is more consistent with technical failure or coverage absence.
Flag of convenience as evidence of illicit activity: The majority of vessels registered under flags of convenience are engaged in wholly legitimate trade. FOC registration is standard commercial practice driven by tax and regulatory considerations. Verifying check: Illicit activity requires positive evidence beyond flag registration alone. Combine FOC status with AIS gap analysis, PSC detention history, and sanctions screening before drawing conclusions.
Nominee directors as beneficial owners: Corporate registry searches frequently return nominee directors who are professional placeholders with no operational control. Treating a nominee as the beneficial owner misidentifies the investigative target. Verifying check: Confirm whether the named director appears across multiple unrelated vessels or companies; high repetition is a strong indicator of a nominee arrangement. Seek persons with significant control filings in jurisdictions that require them, such as the UK Companies House PSC register.
Single PSC detentions as indicators of rogue operators: A single detention does not establish a pattern. Technical deficiencies are common across the global fleet and detention following rectification means the vessel is compliant. Verifying check: Look for recurring deficiency categories across multiple inspections and multiple MoU regions. Patterns across inspections indicate systemic failure; isolated detentions do not.
Historical sanctions listings applied to current vessels: Vessels cycle identities. A sanctions designation against a vessel name may predate a flag change, name change, or ownership transfer that renders the current vessel distinct from the designated one. Verifying check: Always confirm designation status against the current IMO number, not the vessel name alone. Check the OFAC SDN List entry for the IMO number explicitly.
Chain of custody
Maritime OSINT produces evidence that may be used in legal proceedings, regulatory filings, or formal publication. Every query, screenshot, and downloaded file must be treated as a potential exhibit from the moment of capture. The discipline required is not bureaucratic; it is what makes findings reproducible and defensible when challenged.
Record query timestamps in UTC for every platform lookup, noting the platform, the search parameters used, and the result count.
Capture full browser URLs in all screenshots; platform URLs frequently contain query parameters that identify the specific record retrieved.
Generate a SHA-256 hash of every screenshot and downloaded file immediately after capture, before any editing or annotation.
Archive original files separately from working analysis notes; never annotate the original.
Preserve a Wayback Machine snapshot of every key registry or official report page at the time of retrieval.
04
Go deeper
The Signal & Shadow Maritime Intelligence series covers every technique in this guide at field-ready depth, with structured workflows, key queries, OPSEC controls, and evidentiary standards built for active investigations.
This guide gives you the workflow. The Signal & Shadow Maritime Intelligence reference cards give you the field-ready version of each technique: a structured one-page format covering the exact key queries to run on each platform, the OPSEC controls specific to that technique, a step-by-step workflow you can follow during an active investigation, and the false positive checks with verifying evidence. Each card is designed to sit open on a second screen while you work.
The seven cards in the MAR series map directly to the seven steps in this guide. MAR-001 covers AIS and MMSI tracking in depth. MAR-002 covers Equasis and the ownership registry chain. MAR-003 is dedicated to dark vessel behaviour and spoofing indicators. MAR-004 covers port state control records. MAR-005 goes further into beneficial owner tracing through layered corporate structures, including leaked dataset screening. MAR-006 covers incident reconstruction, and MAR-007 covers sanctions evasion and ship-to-ship transfer analysis.
The full Maritime Intelligence pack is available from the Signal & Shadow storefront as a single download. Subscribers to the Methods tutorial series will find the accompanying tutorial, when published, adds a worked case study, a practice exercise, and the full evidentiary defensibility layer this guide does not cover.
Reference cards
MAR-001 AIS and MMSI vessel tracking
MAR-002 Ship ownership and flag state registries
MAR-003 Identifying dark vessel behaviour and AIS spoofing
MAR-004 Port state control and vessel inspection records
MAR-005 Beneficial owner tracing in maritime structures
MAR-006 Documenting maritime incidents and collisions
MAR-007 Sanctions evasion and ship-to-ship transfer patterns
Tools and products
Maritime Intelligence Reference Card Pack — All seven MAR cards as a single download. Structured workflows, key queries, OPSEC controls, false positive checks, and chain of custody requirements for each technique, in a format designed for use during active investigations.
About Signal & Shadow
Signal & Shadow is an independent forensic investigation and methodology practice publishing tutorials, reference cards, and forensic dossiers for working practitioners. Founded by Derek Bowler.
