What is OSINT?(Part 1): A practical introduction!🕵️

I assume you’re here because you are a curious individual like ourselves who wants to know more about Open Source Intelligence (OSINT). In this article, I will explain some common, beginner-friendly use cases for OSINT practice, and the techniques and methodology behind them. While I put a little challenge for you at the end, I encourage you to pause and try out some of the methods as you read. You can use your own photos or social media accounts to practice safely — and see how much of your own data could be found by an OSINT investigator!

So let’s start. OSINT is the practice of collecting publicly available, open-source information, on the internet, social media, forums, published works, open archives, your local city hall, books, videos, movies, pictures, newspapers, reports, etc. While the Deep Web is not readily available, a good part of it can be accessed by anyone with the proper tools, so it could also be included in the scope of an OSINT search.

Who uses OSINT? Well, OSINT investigations can be conducted by governments, private sector agencies, police and other law enforcement entities, journalists, private investigators, cyber-security specialists and researchers, but also malicious actors like state-sanctioned advanced persistent threats (APTs) or black-hats. And, of course, your average, everyday low-tech user/beginner.

For example, have you ever Googled yourself? Looked up someone you know online? Searched for someone or something that you wanted to know more about? Did you find anything? I bet you did.

Congratulations! You have already conducted a basic OSINT investigation.

Categories of OSINT:

The term “OSINT” is essentially an “umbrella” term for all open-source intelligence work. There are many different categories in the intelligence field and a ton of different acronyms to look out for. that are used for different types of research.

So here is a list and brief description of the common acronyms that you will likely come across as you progress on your investigative journey into the thrilling, exciting, stimulating, soul-stirring realm of open-source intelligence:

OSINT: Open-Source Intelligence

SOCMINT: Social Media Intelligence

GEOINT: Geo-Spatial Intelligence

IMINT: Imagery Intelligence

ORBINT: Orbital Intelligence

VATINT: Vehicle and Transportation Intelligence

SIGINT: Signals Intelligence

TECHINT: Technical Intelligence

FININT : Financial Intelligence

AML: Anti Money Laundering

TRADINT: Trade Intelligence

CORPINT: Corporate Intelligence

HUMINT: Human Intelligence

SE: Social Engineering

MASINT: Measurement and Signature Intelligence

DNINT: Digital Network Intelligence

PERSINT: Personality Intelligence

RUMINT: Rumor Intelligence

OPSEC: Operation Security

TSCM: Technical Surveillance Counter-Measures

CI: Counter-Intelligence/Confidential Informant

Quite the list isn’t it?

Don’t be scared, you don’t need to remember them all to get started.

How can I use OSINT?:

In this article, I will explain some common, beginner-friendly use cases for OSINT, and the techniques and methodology behind them:

Table of contents

• Know if you’re being Catfished
• Find out where a picture was taken
• Discover who owns a website
• Retrieve someone’s email address
• Geolocation challenge

Disclaimer: I am not liable for any wrongful or illegal activity against any organization or person resulting from techniques described in this article. This article is for educational purposes only.

Know if you’re being Catfished

In this day and age of online dating and social media, trusting strangers on the internet can be a daunting task. How can you tell for sure that people are really who they say they are? If you feel like something’s off or that some part of their story just doesn’t add up, you’ll want to make sure you’re not being “catfished”, aka duped by a scammer using a false identity.

Finding out if you’re being catfished is pretty straight-forward. Here are some methods to help you determine if someone is really who they say they are.

Tools & Techniques:

• Revers image search: Google images, tineye
• Reverse phone number look up: freecarrierlookup, TruePeopleSearch and Truecaller
• Instant Messaging apps: WhatsApp and Telegram
• Social engineering

Use reverse image search

Most catfish don’t use their real photos because, well, they’re catfish. They often use another person’s photo that they’ve found online, someone who is often very attractive. But since they found their photo online, so can you!

Drop “their” photo into Google images or tineye and conduct a reverse image search to see what pops up. You should find a name connected to the photo. If it’s not the name the person gave you, then you can be sure that person is a catfish. At times you may even find multiple names, if your catfish is running a love-struck scamming ring.

Note: Of course, it’s entirely possible that the person you’re talking to got their picture stolen by a catfish who reused it all over the Internet, and that they are in fact the victim here. In that case, ask for other photos and run them through the reverse search engines. If you cannot find the pictures elsewhere, that’s a good sign. But if those pictures are all over the Internet, AND they consistently point out to a specific person with another name… it’s more than probable you are being catfished. If you really have doubts, use additional methods described below.

Try reverse phone number lookup:

If you have your catfish’ phone number — and are based in North America — try using reverse phone number directories like TruePeopleSearch and Truecaller, to see if you can come up with a name and address that match what your catfish has told you.

Oftentimes though, catfish use burner virtual numbers instead of their real number to conduct their catfishing activities. They use apps like Burner and services like Google Voice to give them virtual, distinctive numbers.

Fortunately, you can use webtools like freecarrierlookup to check if a number is virtual or not:

As you can see, the number I entered is actually a Google Voice phone number. If you see something similar, there’s a good chance you’re dealing with a catfish.

Note that in some countries, it is much more difficult to obtain a virtual number, due to local regulations prohibiting services like Burner and Google Voice. In those cases, you can try using the person’s phone number to find their account on instant messaging services such as WhatsApp or Telegram.

• For WhatsApp, just add the number to your phone contacts, open the app and look for them in your contacts list. If they don’t appear, it means they’re not using this app.
• For Telegram, open the app and create a new contact with their number. If the app suggests you to invite them to use the app, it means they don’t have a profile.

If they have an account on these apps, you can see if the profile picture matches what you’ve seen. This is not foolproof, however, as the catfish may have been clever enough to assume a false identity across all platforms. That being said, many people still think themselves invisible on instant messaging apps, assuming you can’t find them unless they add you first, so it’s worth a try.

Request a video call:

Another simple tip is to use social engineering — in this case, your persuasion or negotiation skills, but more on that later — in order to get a video call or meet the alleged catfish. If the other person refuses, or keeps making excuses not to video call or meet you, it’s a pretty good sign that you’re being catfished.

Keep in mind that it’s better to ask for this sooner rather than later — you don’t want to waste months getting catfished when you could’ve figured it out in less than a day!

Find out where a picture was taken:

Photo by Marco Verch on Flickr

IMINT or imagery intelligence techniques can be used for all kinds of investigations, for example by journalists trying to assess the validity of a piece of evidence or private investigators attempting to retrace someone’s footsteps. New tools for imagery analysis appear every day, and some of them require advanced technical skills.

But even simple IMINT and SOCMINT (social media intelligence) techniques can give good results, and in many cases will be enough for you to find out where a picture was taken.

Tools & Techniques:

• EXIF data retrieval: metadata2go, Exiftool, Preview on Mac OS
• GPS location: Google Maps
• Reverse image search: Google images, tineye, Yandex)
• Image enhancement: MyHeritage, Let’s Enhance, InVID & WeVerify Chrome extension
• Social media intelligence (SOCMINT)

Look for the EXIF data

This should always be your first step.

When someone takes a picture with a phone or a digital camera, additional tags might get attached to it. These are not visible on the picture itself but stored inside the picture file, in a specific format called EXIF. EXIF data can include the date and GPS location, indicating exactly when and where the photo was taken, as well as information on the device used.

If the photo is posted without removing this EXIF data (on a blog, a website or in a conversation on an instant messaging app), this information can be found pretty easily, with online tools like metadata2go or dedicated programs like Exiftool. If you have a Mac, you can also simply open the picture in the Preview app. All the stored geolocation data will be accessible from the “Tools” menu, by clicking “Show Inspector”.

To use metadata2go, simply download the image and drag and drop it into the tool:

If the EXIF data was still enclosed in the picture file, you should see something like this:

A classic example, used in all OSINT 101 workshops.

Most of the time, the location data is going to be stored as GPS coordinates; a quick search using Google Maps will give you the actual location. Just enter the coordinates in the search bar. Make sure to respect the proper formatting, like in the example below.

Note that most social networks will automatically strip EXIF data from pictures, but that this is not the case for instant messaging applications like WhatsApp.

Look for landmarks and recognizable features

After unmasking your catfish, you know how to perform a reverse image search.

You can use the same search engines (google images, tineye, but also Yandex, Google’s Russian counterpart) to reverse search a picture and get an idea of where it was taken. While your search may not return the exact same picture, the suggestions can provide you with an answer. Is there a landmark, a monument, a particular view of a city? Can you spot similar features between your picture and the results from the search engine?

An example of the results a reverse image search on Google images might yield. Was that search really necessary though?

Obviously, this works better for pictures of a location or a landscape — unless you’re unmasking a catfish!

If you’re investigating a selfie, you can still extract useful information simply by paying close attention to what’s in the background.

Do you see what the background is trying to tell you here?

Is there a road sign, or a storefront? Can you read what it says? Sometimes, simply googling that information along with descriptive search terms (“mountains”, “ruins”, “lama”) can do wonders (try it!).

Finally, keep in mind that reverse image search engines work best with high-quality pictures. If your photo is low-quality, you’ll want to enhance it as much as possible before running it through any search tool (but NOT before extracting the EXIF data!). There are a number of online websites or applications that will do that for you, such as MyHeritage or Let’s Enhance, available for limited use on free trial.

Alternatively, you can use the all-in-one InVID & WeVerify browser extension on Chrome, which combines picture enhancing and reverse search engine tools.

On social media, look for tags and comments:

Sometimes, you don’t need to look further than the comment section.

Just because someone is careful enough not to post their actual location doesn’t mean that their friends or followers will be as considerate. Scroll down, and see what people have to say about the picture. It can go from a friend saying: “Reminds me of my time there last summer” (guess whose feed you’re going to check then) to people giving away the location in plain text. Sometimes, the photo may not have a landmark or anything recognizable in it, but another person may be tagged, because they were there too; check out their profile and see if they posted their own photo of that moment and provided more details or tags.

In SOCMINT investigations, your answer is often one click away from the profile of your original “target”. Figuring out who their closest contacts are can open up a whole world of new opportunities to get answers.

Discover who owns a website:

Wouldn’t it be nice to know who owns a certain website? Establishing a link between a particular individual and an online business can be crucial for conducting law enforcement operations or investigative journalism successfully. It can also be useful to know who’s behind a website to determine their reputation and the quality of services they offer. While it’s true that there are many ways for people to hide their involvement with a website, it doesn’t mean you can’t try!

Here are some easy methods to begin your search.

Tools & Techniques:

• Website search
• Domain registry: whois
• Social media and advanced Google search: Google Dorking
• History of a webpage: Wayback Machine
• Reverse IP look up and IP history: viewdns.info

Search the Website

Finding the owner of a website can be as simple as looking at the “About” page. Website owners often love to have an “About” page that presents the website and themselves. This often includes full names, searchable usernames, points-of-contacts, all of which can be used to find the owner.

So before going further, here are some common places to look for info on a website owner :

• Contact us page
• About page
• Website footer
• Privacy policy (can then be cross-checked with publicly-available commercial registries and records)

Try the Whois record:

Before we begin, let’s learn about Whois records.

A Whois record is a widely-used Internet record listing that provide the name of the owner of a domain, and his contact information. What’s interesting with Whois records is that they will give you the name of the person who’s registered the website and owns rights to the domain; sometimes, this may not be the same person officially running it as per the “About” or “Contact” page, and that fact alone can open up new possibilities for your investigation.

So lets use a Whois domain lookup tool called “whois” (very to the point) to trace the ownership of a domain name.

Whois functions like a search engine. Enter the website url, click search and boom:

You now have a name, street, city, state, postal code, country, phone, email and more!

Note: Some web hosting companies offer to their customers the possibility of hiding their name and address for a small fee. If that’s the case, you’ll find either the mention “Redacted” or “Not available”, and the listed country will be that of the web hosting company.

Use search engines and social media:

Another place to find information is social media. If the website belongs to a business, you can research employees on LinkedIn and other social media platforms.

To find the domain owner, you’ll want to look for someone in the IT or marketing department. These are the people most likely to be involved in the website’s management and maintenance.

If you want to search for a specific job title on LinkedIn, you can use the advanced search filters. First, search for the business page and then click See all employees in the header section. Now, you can click on All Filters on the search results page, and enter departmental keywords like “marketing” or “IT” in the field labeled Title. You can also try job-specific keywords such as webmaster or administrator. Finding the right person might take some trial and error.

Use search engines and social media #2

You can also search for mentions of the website on other social media. People love to advertise their websites on social media platforms, which could give you a name or username to continue or complete your investigation. On the other hand, the lack of an online presence for a business in the 21st century should raise some red flags, and may indicate that you are dealing with a made-up or scam company.

You can use Google Dorking to make that search process easier. Google Dorking lets you take advantage of the full possibilities of the search engine to get quicker and more precise results.

Go back in time with The Wayback Machine

Photo by Sonja Langford on Unsplash

The Wayback Machine is a digital archive of the World Wide Web founded by the Internet Archive, a nonprofit based in San Francisco, California. Created in 1996 and launched to the public in 2001, it allows the user to go “back in time” and see how websites looked in the past.

This gives us the opportunity to know more or even reveal the identity of the owner of a website by possibly finding past artifacts pertaining to them, such as an email address with a full name. Other artifacts may point to other sources on the internet that could lead you to a name.

Let’s use YouTube as an example:

Let’s look back to April 28th, 2005 and see what YouTube looked like then.

Looks like Youtube used to be some sort of dating site!

Of course, the Wayback Machine can only show you what was happening on a domain in the past, without discriminating between owners. So it’s entirely possible that the information you find does not pertain to the current owner you’re investigating.

Last or first, but not least: try viewdns.info

Depending on your investigation, you may want to go directly for this tool, or save it for last. Viewdns.info is an all-in-one service that provides information and reports on DNS settings but also many resources for research on IP addresses and domain names that can be useful for different types of investigation.

To find the owner of a particular domain, you can either do a Reverse IP lookup or a IP History search.

• The Reverse IP Lookup will let you know how many sites are associated with a single server. Enter the domain of your website and find what other sites are on the same server. If the website is privately hosted, you may find other sites listed here that could give you more info on your owner.
• The IP History will list all previous IP addresses associated with a domain, along with the name of the registrant. Used in conjunction with the Wayback Machine, it’s a powerful tool that can help you decide how far back you need to investigate — and save you a lot of time!

Retrieve someone’s email address:

Photo by Brett Jordan on Unsplash

Retrieving someone’s email address may be useful when conducting any kind of OSINT investigation, or during a pentest (or for, you know, black-hat purposes). Perhaps you need to connect someone to an address that is linked to criminal activity, or you need to assess how easy it would be for an attacker to spearphish key people within an organization. Either way, there are many techniques that can be used, and your success will mostly depend on how much time you have at your disposal.

Tools and techniques:

• Google search and social media search tools
• Domain registry: Icann
• Social media intelligence
• Webpage search
• Google advanced search: Google Dorking
• Human intelligence (HUMINT) & social engineering (SE)

Google your target

Start from the beginning. There is no need to invest time and effort in more complex techniques if the information is readily available.

Do a thorough Google search on your target, and pay particular attention to the following:

• Do they have a blog or website attached to their name? Their email address may be in their intro, or on the contact page (see “Discover who owns a website”). If not, looking up the registrant name for their domain on Icann is always worth a try. Similar to the whois tool, Icann is a registry for website owners that displays their name and contact information. Although they can chose to have their private information removed for a fee, not every owner opts to do this.
• Are they on social media? The email address may be part of their bio or intro (on LinkedIn in particular), or they may have sent it to someone in reply to a comment. Browse through their activity and use the social network’s own search engine.

Here is an example with Twitter. Let’s say you’ve found the Twitter account of your target and would like to see if they have mentioned their email in a tweet at some point.

Using the built-in Advanced search tool, you can look for content associated with a particular user. To access the advanced search tool, just search for anything in the search bar. On the result page, go to the three dots on the right of the search bar and click on “Advanced Search”.

In the Words category, you can put “email” or even “gmail.com” or another email provider; there are different possibilities to do this (exact phrase, any of these words, etc.).

Scrolling down, you’ll get to the Account category; here, copy the Twitter handle of your target.

Depending on what you know about your target, you can even select other accounts if you think they may have provided that information to a particular person.

Run Twitter’s search engine, and voilà! You see all their tweets, replies and comments that include your search terms. In this case, the person did give their full email in reply to a comment:

Do they appear on other websites (work, events, schools, etc.)?

Their work email address may simply be listed on the company’s website, but that is less and less the case. Oftentimes, however, people take part in events or conferences, and those event companies may unintentionally expose the email addresses of participants via a list of attendees in PDF file format. The same goes for schools listing graduates. If not properly secured, these files will show up in a Google search. You may have to search the file itself, as they tend to be voluminous.

If none of this yields any result, you’ll have to look a bit deeper.

Look inside their webpage:

If your target has a website or a blog, you can try using the View Source Page tool in your browser. If you use Firefox or Chrome, you can find it in your browser’s menu, under “More tools”. This will allow you to inspect the html code of a webpage and look for clues. To make things quicker, you can search for “@” in the html code, and see if the person left an email address in there.

What a webpage source looks like. See the original here.

Search for leaked databases and Excel files with Google Dorking:

You can use Google Dork operators and see if you can dig up a publicly available Excel file that contains your target’s address. This can also include databases from platforms that were hacked and published in the Deep Web and sometimes even find their way on the regular Internet. However, keep in mind that there are many files like this to search from, and it could take you quite some time to manually go through all of them. For a primer on Google Dorking, head here.

Note: Conversely, if you have the email address but not the person’s name, you can enter it on HaveIBeenPwned and see if it has been leaked somewhere; then, search for that specific leaked database and see if you can find the person’s name in there.

Get up close and personal (HUMINT and social engineering):

If all else fails, the best and quickest way of retrieving someone’s email is simply to ask them.

Depending on the type of investigation you’re conducting, it’s also the riskiest, as it requires direct contact between you and the target, or at least someone close to them. This is why we’ve kept social engineering for the end, but in some context (pentesting comes to mind), you may want to try it first to assess how (un)ready a company is for this kind of attack.

For this to work, you will need to understand who your target is and how to approach them. The more difficult and unreachable your target, the more research you will need to do ahead.

Look at their social media and company website, but don’t stop there. Really explore their online presence to find out what they do, where they come from, and how they present themselves to the world. You’ll want to make sure that you have a good grasp of their character and can anticipate their reactions. For a simple request such as an email address, this should not take up too much of your time, but it’s a necessary step.

Photo by Jean-Pierre Bluteau on Flickr

Once you’ve gathered enough intelligence, you need to create what social engineers call a “pretext”, which is basically the false identity you will assume to trick your target into revealing their information to you. Taking into account what you know about that person, adopt a salesman perspective, and try to figure out how you can best get them to seal the deal, aka give you the information you need. Is their company going through interviews at the moment? Have they moved to a new location? Are they taking part in a mentoring program? Have they signed up for an event? By cross-checking all the information you have, you can create a convincing pretext that will make sense and appeal to them both logically and emotionally.

When you are ready, make your move and establish rapport. This can mean connecting on social networks, or calling their office/home. Pay attention to details that could give you away (for example, don’t use British spelling if you’re pretending to be American) and make sure your pretext is believable. Once trust between you and your target is established, you can move on to the exploitation phase and request that email. If you get it, congratulations! But don’t hang up or close that chat window right away. You need to make a smooth and stealthy exit, so as not to raise alarms in your target’s mind… Ideally, they should even feel good about this!

Geolocation challenge (GEOINT) 🌎 :

You may want to find out the exact location of where an image or a video was taken. This process of looking for a specific place on Earth (a geolocation) is called geolocating, and the branch of OSINT dedicated to this is called GEOINT.

You’ve learned how to retrieve EXIF data, and know how to do a reverse image search. Now I am are going to leave you with a little challenge:

Can you pinpoint the exact location of the image below?

And for additional geolocation fun/practice, check out geoguessr.

In this article, I shedded some light on the essence of OSINT, its basic techniques and tools, and how they can be used in many contexts by different parties to gain intelligence. The idea was to gently introduce you to the wonderful world of OSINT, and hopefully, help you gain some valuable investigative skills along the way. In the next articles, we will delve more deeply into specific cases and provide additional tools.

Meanwhile, keep practicing: have a go at the OhSINT room on TryHackMe and follow @quiztime on Twitter for daily OSINT challenges!

See you soon, Detective!