This article mainly focuses on how to discover a person’s digital footprint and gather personal data by using open-source intelligence (OSINT). So, in its simplest way, OSINT is described as a process by which we collect information from publicly available sources. These sources are not limited to online searches or Google, but from newspapers, television, blogs, tweets, social media, images, podcasts, or videos as long as it is public, free, and legal.
The scope of OSINT is not limited to the cybersecurity field. But corporate, military intelligence, sales, marketing, and product management are all using OSINT techniques to be more productive while delivering their services to the public.
The Steps to perform OSINT
Now you are wondering how a person can use this technique to get the benefits of the data that can be accessed publicly. Well it is not a rocket science to learn how you can perform OSINT, just some essential points you need to remember before initiating a search:
- At first, you need to start with what information you know, i.e., email, username, etc.
- Then you will define your requirements, i.e., what you want to get
- Now start gathering the data by using OSINT Tools (which we will discuss later)
- After collecting data start analyzing it
- Pivot as needed using new gathered data
- Validate your assumptions
- At last, generate the report
Based upon these steps, let’s discuss what information we can collect related to the known components (i.e., username, email addresses, phone numbers etc.) and what are the available resources on the internet to serve the purpose.
Username Search – OSINT
Let suppose I have a target’s username on which I have to collect as much information as possible from the publicly available sources. The below flowchart shows that from a single username, how will you access data related to that username.
From a username of the target, you can reach to its email address because many times usernames derived from the email addresses. If that is not the case, then you can assume an address and search it on Have I been pwned, a website allows you to search across multiple data breaches to see if your email address has been compromised. If you assumed it right, it surely resides on Have I been pwned database because there is a possibility your target’s email account compromised in a while.
Simply typing username on search engines also gathers millions of information, and you can reach to its social media account.
There are also some username search tools from where you can easily reach to its social media account. Social media platforms also let you know personal information like real name, Home address, age, gender, hobbies, check-ins, etc. That means reaching to the social media account is the final flag, that reveals a lot of personal information.
You can also try manual attempts on social media platforms to get the email address of the username and other personally identifiable information. Apart from online services, you can use a Github project WhatsMyName, a repository that has the unified data required to perform user enumeration on various websites. One thing you have to keep in mind that while doing searching on multiple sites, you might get false positives as someone else can use the same username, be prepared for that.
How to Perform OSINT on Email Address
Let say I have an email address of my target; the below flowchart shows how I can use that single information to reveal the personal data related to it.
The first thing to do is to verify the email address you have. For this purpose, there are some online tools available which are described below:
lets you find email addresses in seconds. You just have to type a domain name to launch the search. The Domain Search will list all the people working in a company with their names and email addresses found on the web.
Proofy is a powerful email validation tool that allows bulk email validation having an accuracy of over 96%. By using this tool, you can verify emails in volume, with email deduplication, syntax checker, MX Records verifier, and other validations.
- Email permutator
This tool will generate tons of valid email addresses when you enter the name and domain of a person you seek.
- OSINT browser extension
Browser extensions are having a lot of useful links, including ones for email search and verification. They are compatible with Firefox and Chrome.
After verifying the email address, now you can remove its domain to get the username and reach its social media account. You can also search that email address directly on social media platform lets say Facebook that will list the employer, maybe a real name or other related information.
By searching that address on search engines may let you reach to the websites of blogs from where you can get their username or social media account.
The most exciting thing from this flow chart we can see is how you can assume a personal email address of a person by their username, verify that address and reset password its social media account password. This may seem impossible by reading it, but most of the time, social media accounts are hacked by this technique.
OSINT Investigation using Phone Numbers
There is a common mistake by users of social media accounts, for example, Facebook, to link a phone number to their Facebook profile. Even on the Facebook search, you could find personal numbers if the privacy is moderate.
Other than that, user-supplied databases of phone numbers like truecaller.com or whocalledme.com that collects millions of data by selling their services can be used to get the results.
There is a very famous tool PhoneInfoga to scan phone numbers using only public resources. At first, the main focus is on gathering necessary information like country, area, carrier, and line type on any international phone numbers with excellent accuracy. After that, it tries to find the VoIP provider or search for footprints on search engines to try to identify the owner. It provides convenience by checking several numbers at once and perform OSINT reconnaissance using external APIs, Google Hacking, phone books, & search engines.
The Phoneinfoga tutorial is given here.
Domain name OSINT
If you know a website of a person owns that you are investigating, then it will quickly reveal important information related to it, such as the operating system being used, software version, personal contact info, and more. Many utilities can perform this job for you:
It gives information about all the registered users or assignees of an Internet resource i.e., domain name, an IP address, or an autonomous system. It contains a widely used Internet record listing that recognizes who owns a domain and how to get in contact with them.
It is a useful tool that will allow you to search for domains by the name, address, phone number, email address, or physical address of the registrant listed in current or old Whois records. When you perform a Reverse Whois, you will simply enter any of the registrant’s personal information, and all domains with a Whois record containing that piece of data will be returned.
The Top 3 OSINT Tools
Many automated tools are dedicated to this purpose and will ease the task to solve more complex problems. If your query is just to find related information on your data, then you can use the above options. Still, these manual searches can be time-consuming if you are performing a digital investigation or gather information for penetration testing. For complex OSINT investigation, the following tools are convenient to get the on-demand results.
Maltego is an Open Source Intelligence and forensics software developed by Paterva. This tool is used to solve more complex questions by taking it a single piece of information, then discovering links to more pieces of data relating to it. Finally, it gives a complete big picture in terms of graphs to visualize the output.
It has multiple features that are said to be Transforms, which pull the related information via API pulls and then comparing the gathered data that tends to give meaningful information.
A simple and handy tool will fetch the right information of the target. It is useful for scanning domains and gathering information like emails, subdomains, hosts, employee names, open ports, and banners from different public sources like search engines, PGP key servers, and SHODAN computer database. It also uses some common platforms like Yahoo, LinkedIn, Facebook, etc.
Recon-ng is a command-line reconnaissance tool with an interface similar to Metasploit. Initiating Recon-ng will let you enter a shell-like environment where you can configure options, perform recon, and output results to different report types. This tool is preloaded with loads of modules that use online search engines, plugins, and API that can help in gathering the information of the target.
This article mainly focuses on how a person can collect information by using open source intelligence. Even a non-technical one that has zero knowledge about cybersecurity, he can use online sources and, with few clicks to collect lots of data that is publicly posted on the surface web. You can also realize how easy it is to get any one’s personal information, which is floating in this digital world. These techniques can also be used for a malicious purpose and might cause damage, so one should use them carefully.