OSINT — open-source intelligence — is the systematic collection of public data to answer a specific question. Done well, it’s the single highest-leverage skill in incident response, threat intel, due diligence, and bug bounty recon. Done poorly, it’s hours of dead Google links.
The Investigation Framework
Every OSINT investigation begins with a question and a pivot graph.
Question → Selectors → Pivots → Selectors → ... → Answer
A selector is an identifier — username, email, phone, image, domain, hash. A pivot is a service or technique that turns one selector into others. The skill is choosing which pivots will yield the next useful selector.
Common Pivots
Email Address
- HaveIBeenPwned — which breaches?
- Hunter.io — pattern detection (
[email protected]) implies other employees. - Account presence — Pinterest, Spotify, Skype all leak signal when you query unauthenticated.
- Gravatar —
MD5(lower(email))→ public profile photo if registered.
Username
- Sherlock / WhatsMyName — scan hundreds of platforms automatically.
- GitHub search — code, gists, commits. Old commits often expose real names and personal emails.
- Reverse image of profile photos via Google Lens, Yandex, TinEye.
Phone Number
- TrueCaller / GetContact (regional coverage varies).
- PhoneInfoga for carrier and country metadata.
- WhatsApp / Telegram / Signal — presence checks reveal account existence on those platforms.
Domain Name
- WHOIS (note GDPR redactions are heavy for EU registrants).
- Certificate Transparency via
crt.sh— every issued TLS certificate, hostname-rich. - DNS history via SecurityTrails or DNSDumpster.
- Wayback Machine for historical content.
- Same-IP neighbors (Censys, Shodan) — often more useful than ASN.
Image
- Reverse image search — Yandex consistently outperforms Google for face matches.
- EXIF metadata — GPS coordinates, camera, timestamps. Strip-on-upload is standard now, but legacy images are everywhere.
- Geolocation by content — sun position, license plates, road signs, shop chains. The Bellingcat playbook.
Person
- LinkedIn — employer, location, skills. Always pivot on what employer permits you to see (network connections).
- Twitter/X advanced search — geolocated old posts.
- Public records — varies wildly by country.
Tools Worth Installing
# Username enumeration
sherlock <username>
# Phone metadata
phoneinfoga scan -n +14155552671
# Email enumeration
holehe [email protected]
# Domain pivots
amass intel -org "Target Inc"
crt.sh search → CSV
# Image geolocation help
geospy / GeoSpy (commercial), exiftool (metadata)
Working With Breach Data
Breach corpora (DeHashed, IntelX, public combo lists) are the most powerful OSINT pivot — and the legally riskiest. In most jurisdictions, reading aggregated public breach data is legal; using it to access an account is not.
For investigators:
- HaveIBeenPwned’s enterprise API delivers breach lists without raw passwords.
- Domain-search on HaveIBeenPwned reveals which corporate emails have appeared in breaches — invaluable for incident scoping.
OPSEC for OSINT
You leave fingerprints when collecting:
- Use a dedicated research browser. Firefox Containers or a separate profile, never your daily driver.
- Disposable accounts for platforms requiring login. Don’t reuse names.
- VPN or residential proxy for sensitive targets — Tor stands out for some sites and is blocked by many.
- No logged-in Google searches on the target.
- Never query the target’s own resources (their support portal, their booking system) from your tracked accounts.
Operational mistake of the year: investigators using their personal LinkedIn to scope hostile actors — making themselves the target.
Ethics and Law
OSINT lives in tension between freedom-of-information and stalking. A short rule of thumb:
- Aggregated public data about a public-figure capacity (work email, public posts) — generally fine.
- Aggregated public data about a private individual — depends heavily on jurisdiction and purpose.
- Doxxing for harassment — illegal in most countries.
Get explicit authorization for OSINT inside engagements. Insurance for security companies often excludes findings outside written scope.
A Sample Investigation Flow
Question: “Who runs this scam crypto site?”
- Domain → WHOIS (redacted) → CT logs → 14 sibling domains
- Sibling domains → shared analytics ID in HTML
- Analytics ID → reverse-lookup tool → 60 unrelated sites with same ID (likely shared developer)
- Pick most-active site → contact page → email
- Email → HIBP → 4 breaches → reuse passwords found in dumps
- Email → Gravatar → photo → Yandex → personal Instagram
- Instagram → username → other accounts via Sherlock → real name
90 minutes of work; one selector at a time.
References
- OSINT Framework — directory of tools
- Bellingcat’s Online Investigations Toolkit
- Trace Labs OSINT Search Party — practice on missing persons CTFs
