Introduction to OSINT

Open-Source Intelligence (OSINT) is the practice of collecting, analyzing, and leveraging publicly available information to gather intelligence. OSINT can be used for a variety of purposes, such as:

• Threat Intelligence: Gathering information about potential threats, actors, and their activities.
• Investigative Research: Conducting in-depth investigations on individuals, organizations, or events.
• Competitive Intelligence: Gathering information about competitors to gain a strategic advantage.
• Cybersecurity: Collecting data to enhance security measures and identify potential vulnerabilities.

OSINT Frameworks

OSINT frameworks are comprehensive sets of tools, techniques, and best practices for conducting OSINT investigations. Some popular OSINT frameworks include:

• OSINT Framework: A collection of various online tools and resources organized by category.
• Maltego: A graphical tool for open-source intelligence and forensics.
• Bellingcat’s OSINT Toolkit: A Google Sheets-based toolkit with various OSINT tools and resources.

These frameworks provide a structured approach to OSINT investigations and help researchers stay organized and efficient.

🚦 Stages

OFM is meant to be followed in a top-down approach, starting with the widest types and methods of searching for data and gradually implementing increasingly specialized tools and techniques. In the end, all the collected data is funneled into the Data Process & Analysis phase.

🔍 STAGE 1: Search Engines

• The main goal of this stage is to collect more PII (Personal Identifiable Information, e.g., email addresses and/or usernames) about the target. The discovery of new PII is useful both for recursively searching the web for more data on the target, as well as feeding this PII to specialized OSINT tools during Stages 2-5.
• This stage may sometimes collect the most amount of data, although this data may be quite scattered and raw in the absence of any kind of automation or filtering algorithm.
• For each search engine, manual or automated (API-based) advanced search and scrape methods can be applied to filter the results via built-in operators or patterns, and also to organize the data in structured formats e.g., JSON.
• Furthermore, recursive searching and scraping should be applied for each piece of PII collected during previous searches. This can be done best by using an automated tool.
• The tools used in this stage are the most well-known search engines, either queried manually or programmatically:
  • Google Advanced Search
  • Bing Advanced Search
  • Yandex Advanced Search
  • Yahoo Advanced Search
  • DuckDuckGo Advanced Search
  • Qwant Advanced Search
  • Startpage Advanced Search
  • Baidu Advanced Search
  • Naver Advanced Search
  • Internet Archive Advanced Search

Effective use of search engines is a fundamental part of OSINT. In addition to popular search engines like Google, Bing, and DuckDuckGo, researchers can utilize specialized search engines and techniques:

• Shodan: A search engine for internet-connected devices and services.
• Censys: A search engine for internet-connected devices and hosts.
• Yippy: A meta-search engine that combines results from multiple search engines.
• Google Dorks: Advanced search queries that can uncover hidden or sensitive information.

🛠️ STAGE 2: Specialized Tools

• After the first wave of (more or less) relevant data has been collected and filtered from search engines, the next step is to use specialized OSINT tools on the most relevant bits of data that have been collected during Stage 1 (usernames, email addresses, phone numbers, profile URLs, etc.).

• These tools are meant as additional filters for the OSINT investigation; however, they can also provide new insights and leads on the target’s online presence. Combining these tools with the advanced searches from the previous stage may already build a significant portion of the target’s digital footprint.

• Some of the tools used in this stage are:

  • Username search:

    • Sherlock
    • Maigret
    • Whatsmyname
    • NameChk
    • UserSearchORG
    • UserSearchAI
    • BlackBird
    • ThatsThem
    • Spiderfoot
    • Marple
    • Mailcat
    • Spokeo
    • OSINT Industries
    • OnChain Industries
    • IntelTechniques Username Tools
    • Bellingcat People Toolkit

  • Email search:

    • Holehe
    • Epieos
    • Ghunt
    • UserSearchORG
    • UserSearchAI
    • BlackBird
    • Spiderfoot
    • theHarvester
    • Whoxy
    • Spokeo
    • sn0int
    • Pentester
    • OSINT Industries
    • OnChain Industries
    • PredictaSearch
    • IntelTechniques Email Tools
    • Bellingcat People Toolkit
    • Bonus email finders:
      • Snov
      • Experte
      • Infoga
      • Hunter
      • Minelead
      • Findemail

  • Phone Number search:

    • Spiderfoot
    • PhoneInfoga
    • ThatsThem
    • UserSearchORG
    • UserSearchAI
    • PhoneValidator
    • Epieos
    • sn0int
    • Spokeo
    • OSINT Industries
    • PredictaSearch
    • IntelTechniques Phone Tools
    • Bellingcat People Toolkit

🌐 STAGE 3: Social Avenues

• The information collected in the previous two steps may point to one or more social media profiles that the target is using. These profiles may include, but not be limited to, well-known social media services such as Facebook, Instagram, TikTok, X, or Reddit, secondary or emerging social networks such as Bluesky or Truth Social, blogs, forums, or chat rooms such as Telegram, Discord, Slack, etc.
• Any of these avenues can lead to discovering more information about the target, either personal (age, birthday, photos, workplace, locations, friends) or ideological such as political, cultural, religious, or sexual preferences, among others. Any such lead can further unravel a suite of pathways to explore, and can also help paint a better picture of the target. This stage is partly manual, however the tools below may provide additional or faster insights.

🍀 NOTE: There are hundreds of social media OSINT (SOCMINT) tools than have been developed over the years. Few of them still work (fully or partially) to this day, however most of them have not been maintained for years mostly because social media platforms have become more restrictive when it comes to their search functionality, API access and privacy measures. Therefore, any attempt to list all of these tools would be futile. Recently, more and more specialized (paid) tools emerged in the OSINT community and, even though some of them may not be affordable for most users, professional OSINT investigators will rely more and more on these solutions.

🍀 NOTE: In the age of information and speed, real OSINT investigators would rather have a handful of (paid) specialized tools to rely on anytime, in combination with other tools and APIs mentioned throughout this methodology, than spend hours or days scouring through GitHub, Reddit or other places in search of a functional tool to do their job. The purpose of the OFM is to provide a pragmatic and useful path for conducting OSINT investigations, not to blindly list every available tool out there.

• Below you can find some general SOCMINT search tools that are free or partially free, as well as a list of paid tools which is going to be updated periodically.

  • General search tools (Free):
    • IntelTechniques Facebook Search
    • IntelTechniques Twitter Search
    • IntelTechniques Instagram Search
    • IntelTechniques LinkedIn Search
    • IntelTechniques Communities (Reddit, TikTok, etc.)
    • Bellingcat Facebook Tools
    • Bellingcat Twitter Tools
    • Bellingcat Instagram Tools
    • Bellingcat LinkedIn Tools
    • Bellingcat Discord Tools
    • Bellingcat Telegram Tools
    • Bellingcat Reddit Tools
    • Bellingcat TikTok Tools
    • Bellingcat VKontakte Tools
    • Bellingcat YouTube Tools
    • Bellingcat Other Networks
      • SOCMINT - Others
      • SOCMINT - Others
      • SOCMINT - Others
  • Specialized SOCMINT tools (Paid):
    • Maltego
    • SocialLinks
    • SkopeNow
    • Neotas
    • ShadowDragon
    • BlackDot
    • BabelStreet
    • Spokeo
    • OSINT Industries
    • IntelligenceX

Social media platforms are a rich source of OSINT data. Researchers can gather information from various social media sites, such as:

• Facebook: Profiles, groups, pages, and public posts.
• Twitter: Tweets, user profiles, and hashtags.
• LinkedIn: Professional profiles and connections.
• Instagram: Photos, videos, and user locations.

Tools like Spiderfoot and Maltego can help automate and streamline the collection of data from social media.

🔐 STAGE 4: Data Breaches

• Websites and APIs providing information and search capabilities on data breaches and pastes can sometimes prove to be extremely rewarding, especially if the previous steps have not provided a great deal of data about the target. Finding breaches that the target’s username or email address has been a part of can provide crucial clues on some of the platforms where the target has (or at least had) accounts or profiles. Furthermore, this type of search can easily be automated via Python scripts and libraries, at very low API costs. Of course, this can again lead to manual research once one or more pieces of data have been found.

• Typical tools in this step are:

  • HaveIBeenPwned
  • IntelligenceX
  • Dehashed
  • Snusbase
  • LeakCheck
  • CheckLeaked
  • Pastebin
  • H8Mail
  • IntelTechniques Breaches
  • IntelTechniques Pastes

Many government agencies, organizations, and institutions make a wealth of information publicly available. OSINT researchers can explore these resources to gather relevant data, such as:

• Property records: Real estate ownership, property values, and tax assessments.
• Court records: Legal documents, case files, and criminal records.
• Business registrations: Company information, filings, and ownership details.
• Professional licenses: Licenses, certifications, and disciplinary actions.

🕵️ STAGE 5: Dark Web

• Finally, in some cases there may be a need to touch the dark web, especially if the target potentially uses this environment for unethical or illegal activities. Most of the time, tapping into the rabbit holes of the dark web is unnecessary since 99% of the data resides on the clear web. This type of research is mostly manual, it’s done through the Tor network and can expose the investigator to various risks if proper security measures are not implemented.

• Most common Dark Web OSINT tools include:

  • Tor Browser
  • Onion Search
  • Midnight Sea
  • Darkus
  • TorBot
  • GoTor

The dark web, a part of the internet that is not indexed by traditional search engines, can also be a source of OSINT data. However, accessing the dark web requires specialized tools and a thorough understanding of the risks involved.

Data Analysis and Visualization

OSINT investigations often involve analyzing large amounts of data from various sources. Tools like Maltego and Gephi can help researchers visualize and analyze data, uncovering connections and patterns.

OSINT Tools

There is a wide range of OSINT tools available, each with its own specialties and capabilities. Some popular OSINT tools include:

• Recon-ng: A web reconnaissance framework written in Python.
• OSINT Framework: A collection of various online tools and resources organized by category.
• Spiderfoot: An open-source OSINT automation tool that can gather information from various sources.
• Maltego: A graphical tool for open-source intelligence and forensics.

OSINT Resources and Learning

There are many resources available for individuals interested in learning more about OSINT and improving their skills:

• OSINT Techniques: A website with tutorials, guides, and resources for OSINT practitioners.
• Bellingcat: A website dedicated to open-source investigations and OSINT research.
• The OSINT Podcast: A podcast that covers various OSINT topics and interviews experts in the field.
• r/OSINT: A subreddit dedicated to open-source intelligence discussion and sharing.
• OSINT Courses and Certifications: Online courses and certifications for OSINT training and skill development.