OSINT: How to find information on anyone

Your data is more exposed than you think

Open Source Intelligence (OSINT) — is information gathering from publicly available sources and its analysis to produce an actionable intelligence. The scope of OSINT is not limited to cybersecurity only but corporate, business and military intelligence or other fields where information matters.

Whether you are a recruiter, marketing manager, cybersecurity engineer or just a curious person reading the article, you will find something useful for yourself. Maybe you want to know what data of yours is out there for others to find or just want to see if the person or the organization that contacted you online is legit. In this article, I will explain how to discover a person’s digital footprint, perform digital investigations, and gather information for competitive intelligence or penetration testing.

Many OSINT tools are available nowadays so I’m not going to cover them all, only the most popular ones and those useful in the described use cases. In this guide, I show a general approach and different tools and methods that you can use depending on the requirements and the initial data you have. If you can’t define the starting point for your investigation — read the article below.

OSINT steps

Start with what you know (email, username, etc.) Define requirements (what you want to get) Gather the data Analyze collected data Pivot as-needed using new gathered data Validate assumptions Generate report

Real name

IntelTechniques.com OSINT Workflow Chart: Real Name

Governmental resources

There are dozens of websites where you can find information about people or organizations and depending on the country, information openness can be different. I’m not going to write about it in details as the governmental resources I would provide might not be relevant to you, as a resident of a different country. Just remember that such resources exist and Google them in need, as they are not that hard to find, especially using the advanced search queries I describe below.

Google Dorks

In 2002, Johnny Long began collecting Google search queries that uncovered vulnerable systems or sensitive information disclosures. He labeled them Google Dorks. Since the article is about legally obtained information I’m not going to show how to get an unauthorized access, however, you can explore Google Hacking Database with thousands of different queries. The queries below can return information that is difficult to locate through a simple search.

“john doe” site:instagram.com — quotation marks force Google Search to do absolutely exact match while the search is performed on Instagram.

“john doe” -“site:instagram.com/johndoe” site:instagram.com — hide postings from the target’s own account, but show posted comments on the Instagram posts of others.

“john” “doe” -site:instagram.com — show results that exactly match the given name and surname but in different combinations. Also, exclude Instagram from results.

“CV” OR “Curriculum Vitae” filetype:PDF “john” “doe” — search for the target’s resumes that contain “CV” or “Curriculum Vitae” in the name and have a PDF extension.

Wrap single words in quotes if you are 100% sure about spelling as by default Google will try to shape your keyword to what the masses want. By the way, what’s interesting about Instagram is with the right Google Dork you can see comments and likes of private accounts.

Perform a search using advanced search queries on Bing, Yandex, and DuckDuckGo as other search engines might give you results that Google couldn’t.

People search

There are websites that specialize in people search which can be done providing a real name, username, email or phone number.

People search websites allow to opt out, but after people remove themselves from listings, new search services appear with their records in them. The reason for that is the same dataset is bought and used by different services. Some companies own those datasets and even if on one of their websites a person removes the listing, on the new domain the old data is repopulated again so the previously removed profile reappears in the search. Consequently, if people did a pretty good at cleaning their stuff up you just have to wait for a new database to appear. One of the methods to find people that opted out is to go the people search service, find a unique paragraph, do a quoted Google search on it and find all of the domains that the company owns. There are chances that information your target removed from site A is now on site B.