How to Carry Out OSINT Investigations Like a Pro
Open-Source Intelligence (OSINT) is an essential skill for cybersecurity experts, ethical hackers, journalists, and investigators. OSINT assists in revealing useful information from open sources such as social media, websites, and public databases. This blog will walk you through OSINT investigations, including the tools, techniques, and best practices to carry them out effectively.
What is OSINT?
OSINT (Open-Source Intelligence) refers to the technique of gathering and examining public information to become aware. It is applied in:
- Cybersecurity investigations
- Ethical hacking
- Law enforcement and intelligence collection
- Corporate security
- Journalism and research
While hacking involves the use of illegal sources, OSINT investigations are based on lawful sources such as search engines, social media, domain registration, and leaked databases.
Why OSINT Matters
OSINT is essential in digital investigations. Some of the situations in which OSINT is handy are:
- Cybercrime Investigation: Following a hacker's digital trail on social media and domain records.
- Threat Intelligence: Tracking online chatter for likely cyber threats.
- Fraud Detection: Uncovering phony companies or con artists with company records.
- Reconnaissance for Ethical Hacking: Pre-testing reconnaissance for gathering information on a target.
- Locating a Missing Person: Locating an individual through social media, geolocation, and web activity.
OSINT Methods
Below are some of the widely used OSINT methods:
Search Engine OSINT
Google and other search engines have the ability to uncover a vast amount of information that is otherwise hidden through using advanced queries:
- site:example.com – Search within a single website.
- intitle:index of – Search open directories.
- filetype:pdf confidential – Searches for particular file types.
- cache:example.com – Displays a website's cache.
Example: Site:pastebin.com password search could uncover leaked credentials.
Social Media OSINT
Social media is a treasure trove for OSINT investigations. Individuals tend to post more data than they think.
- Facebook: Public posts, check-ins, groups, and comments.
- Twitter/X: Hashtags, geotagged tweets, and user interactions.
- LinkedIn: Employee information, job history, company structure.
- Instagram: Location tags, user stories, and tagged posts.
Tool: https://whopostedwhat.com – Discovers deleted Facebook posts.
Email & Username OSINT
- HaveIBeenPwned (https://haveibeenpwned.com) – Determines whether an email is in a data breach leak.
- Email Rep (https://emailrep.io) – Discovers reputation and information of an email address.
- Namechk (https://namechk.com) – Discovers availability of a username on platforms.
Example: Checking for an email on HaveIBeenPwned can reveal if the user had been affected by a data breach.
Website & Domain OSINT
- WHOIS Lookup: Checks registration information for the domain (https://whois.domaintools.com).
- Shodan (https://www.shodan.io) – Scans for internet-connected devices.
- URLScan (https://urlscan.io) – Analyses URLs on websites.
Example: Using WHOIS lookup against a phishing website can potentially find contact information of the attacker.
Geolocation OSINT
- Google Maps: Street view, satellite images.
- EXIF Metadata: Grabs image information such as GPS location.
- OSINT Combine Geolocation Tools (https://osintcombine.com/geolocation-tools).
Example: If a photo is posted online, EXIF metadata can indicate the location of the photo.
Dark Web OSINT
The dark web has secret forums and marketplaces. Tor and OSINT tools are used by investigators to examine:
- Onion Links: Unique URLs with the.onion suffix.
- Dark Web Search Engines: Like Ahmia (https://ahmia.fi).
Warning: Browsing the dark web is risky. Use a VPN and Tor browser.
Best OSINT Tools
Here is a list of some of the must-have OSINT tools:
| Category | Tool Name | Description |
|---|---|---|
| Search Engine OSINT | Google Dorking | Finds hidden data using search queries. |
| Social Media OSINT | Maltego | Creates connection maps of people and entities. |
| Username OSINT | Sherlock | Finds usernames across platforms. |
| Email OSINT | HaveIBeenPwned | Checks if an email is leaked. |
| Domain OSINT | WHOIS Lookup | Retrieves domain registration details. |
| Dark Web OSINT | OnionSearch | Searches for .onion links. |
| Image OSINT | ExifTool | Extracts metadata from images. |
OSINT Investigation Example
Scenario: The management of a company would like to verify whether employees are leaking confidential data online.
Search Leaked Credentials
- Use HaveIBeenPwned to verify if company emails have been compromised.
Research Employee Social Media
- Search employee names on LinkedIn and Twitter.
- Check for work-related posts or location check-ins.
Examine Website Security
- Use Shodan to see if the company's servers are exposed.
- Do a WHOIS lookup on company domains.
Examine Metadata in Leaked Files
- If leaked documents or images are discovered, use ExifTool to pull metadata.
Dark Web Investigation
- Search the dark web for company stolen data.
Ethical OSINT Considerations
Although OSINT is legal, it has to be done ethically:
- Always follow privacy laws.
- Do not access unauthorized information.
- Utilize OSINT for ethical use such as cybersecurity and research.
Conclusion
OSINT is a valuable skill set for investigators, cybersecurity experts, and ethical hackers. With the proper tools and methods, you can collect good intelligence without crossing over into legal and ethical issues.