My OSINT Blueprint – Methodology and Tools Part One

Ha, I can still log in!

Borat Great Success | Comedy movie quotes, Movie quotes, Social media  conference

It’s been a long time since I wrote a blog for this site. The last couple of years have been so busy with getting my company, Perspective Intelligence up and running properly that I just haven’t had time or capacity to really blog about stuff that wasn’t business-driven. A shame I’m sure we can all agree… No? Well, let’s move on then.

While work has dominated my time for the last couple of years, I do still very much enjoy good beer and heavy metal. So please do recommend any good beers or bands you’ve been listening to recently! But enough of that, let’s talk about OSINT!!

So one of the things I do a lot, on individuals, groups and increasingly businesses is open-source intelligence. If you’ve seen any previous blog posts, you’ll know that OSINT is the lead in my pencil, the cheese to my pickle, the marmite to my sandwich… I may be hungry. When I first started out with Perspective Intelligence, I worked with investigators and clients on people-focused investigations, and while I still do a fair amount of this, I’m trying to get my business more focused in the cyber threat space and looking at the external attack surface. If you’re connected with me on LinkedIn or X/Twitter, you’ve likely seen me post about Attack Surface Intelligence at length (while you’re here, if your company wants a free assessment of its external attack surface, check out this link!). But one thing I’ve done as well is deliver my artisan-crafted OSINT Practitioner course.

The training course is largely focused on “People OSINT” although we do cover a lot of other things – Businesses, dark web, websites etc. but I thought a blog around my methodology and approach to these people investigations may be of interest, including the tools I rely on to help me with speed and collection of data. Heads up, some of them are out of the price range for a lot of hobbyists, but I’m using them on a commercial scale to help drive results and data collection at speed – Everything I mention you could likely collect yourself, it would just take longer.

My OSINT Blueprint

So, most investigations for me start with the same questions:

  • Who is the subject?
  • What do we already know?
  • What are the aims of the investigation?

This is usually a reasonable starting point for almost any investigation. Ultimately, the last bullet point is CRUCIAL. Understanding the aim of the investigation will help guide and steer you as you go about doing the artisan googling. It also helps you verify that what you’re being asked is both reasonable and achievable (although don’t be scared when you can’t answer a question. Sometimes, we can’t get to the answer if it doesn’t exist in the public domain!).

When it comes to what is already known, it’s always a great starting point if we can get details like email addresses and phone numbers – Most clients I work with usually want a full online footprint and getting a head start on these details is always appreciated. Likewise you may want to consider any images of the subject, known locations or associates/family members. Basically, anything we can find to help identify the individual online.

You’ll also likely want to know things like business connections or political affiliations etc. Whatever helps with the aims of the investigation. A lot of cases I work are civil in nature and usually business disputes or similar, so this kind of thing is very useful. But beyond this, how do we approach an investigation?

October 2019 – Threat Intel 101 | RISE – Roanoke InfoSec Exchange

Phase One – Getting Our Ducks in a Row

CAVEAT: Everything discussed in this series is around passive OSINT research. It does not involve interacting with a subject or doing anything that could be considered unethical or illegal, such as hacking into an account or social engineering on the subject to identify more information. I’m based in the UK and all OSINT research is conducted within the confines of the Computer Misuse Act (for better or worse) and within the code of ethics of membership bodies such as the Association of Crime & Intelligence Analysts and Security Institute.

First things first, we need to understand where to find out relevant information, I highly recommend using my OSINT Resource document for this, because it’s bloody massive and also I add to it when I see things that are useful. It also covers a lot of ground including web-based resources, downloadable tools and other collated searches together. I’m really happy with it and hopefully it aids you in your investigations too!

Assuming we have a starting set of information on a subject beyond their name, I usually start here. Quick wins and positivity to get things moving. So usually, I look at these angles first:

  • Email Addresses
  • Phone Numbers
  • Known Social Media

Sounds obvious, right?! My aim at this point is to essentially branch out and find other useful bits of information – Usernames, profile images, other associated accounts, contact lists, breach and credential theft records. Anything that gives me further avenues for investigation.

So how do we get to that point? Well let’s take a look at this approach…

Email Addresses

OSINT against email addresses is a beautiful thing, there are a lot of ways and means by which to identify further information. But as a starting point, let’s think about what we can get from them:

  • Usernames (from the prefix before @)
  • Associated accounts
  • Breach/credential information
  • Indexed posts online where it’s shared
  • Company/personal website domain
  • Previously-linked website ownership

For a person-focused OSINT investigation, this is a really strong starting point I’m sure you’ll agree. And it’s exactly that, a starting point. You could delve even deeper into this if you consider the email attack surface document created by Sinwindie:

Sinwindie's Email OSINT attack surface

This is something you can largely check for at zero cost, too, although admittedly not at scale. But given the breadth of information we can find and use just from an email address – It’s got to be worth thinking about how we can speed this up, right? Back in the glory days when all this was hills, etc., many account associations could be easily done using the good old “Forgotten Password” method just to check if an email address was indeed linked to an account. Sometimes, you’d even get the account details, good times!

But today, that’s harder to do, and there are a lot more online services than there were back when the Internet was in black-and-white standard definition. In today’s 4K HDR online landscape, we can leverage some free and paid tools to do things at pace!

Free Tools:

  • Holehe – This is a Python command-line tool that will look for account associations to an email address. It’s quick, covers a lot of ground and can give you a good head start on where to look for your subject. The developer is one of the people behind OSINT Industries, which effectively is Holehe on steroids but has a cost if you’re not working for law enforcement/military/non-profit/journalism purposes. However, Holehe also has a Maltego transform, which is predominantly how I use the tool nowadays.
  • HaveIBeenPwned – For a free lookup on breach data for an email address, this is a go-to for almost any investigator. It’s not the most comprehensive dataset for breach data, but it is free to query and will give you some investigative steer for where your subject may be active online.
  • GHunt – Another command-line tool focused on identifying Google account information, including YouTube account and Google Maps reviews. The latter can be helpful for finding a location for the subject, albeit historical.

Paid Tools:

  • OSINT Industries – As mentioned above, OSINT Industries lets you query email addresses and phone numbers against more than 300 websites at the time of writing this blog. The user interface is easy to understand, and you can download results in a range of formats that suit your needs. Where possible, it will also give you a direct link to the accounts it identifies for the subject. So you can quickly gather more intelligence and continue your investigation.
  • ShadowDragon SocialNet – SocialNet by ShadowDragon is an API-driven tool, either through their Horizon web portal or through tools like Maltego or i2. It works in a similar vein to OSINT Industries and lets you query hundreds of sites against an email address. I use SocialNet within Maltego, and it’s a daily tool for me. It’s not cheap to get access to (especially considering you may also need a Maltego licence), but I think combining it with other integrations and tools has become an essential part of my OSINT toolkit.
  • Pipl – Pipl is a people search engine with a Maltego integration (if you haven’t already figured this out, I REALLY love Maltego). The difference with Pipl in this use-case is the ability to take an identifier like an email address and associate it with a real-world person. Through their collection, you may also find other social media accounts, further identifiers, phone numbers, email addresses, and other metadata associated with the subject. It can be a significantly useful resource for digging deeper and uncovering more information.

There are a multitude of tools and resources out there, and I’m highlighting a few; I haven’t touched on commercial data breach services here because it’s such a murky landscape, and each individual’s appetite for it will vary. I use a number of different services for this because I’m yet to find one that stands head and shoulders above the rest, but there’s plenty of choice in the market (including collecting your own datasets from forums and Telegram, but goodness me, that is a minefield, too). I would urge caution if you do decide to venture into the space, and feel free to DM me on socials if you want to know which services I’m using.

Note: At no point yet have I considered visiting a profile or doing research on platform – When I do get to this I will always use a sockpuppet account. I blogged my approach to setting up a sockpuppet account here. My approach hasn’t changed since writing that blog, and it’s still working today, so I’m very confident in the approach there.

Moving away from tools and back to manual research – I always use search engines for the email address too, both using specific search terms (e.g. “[email protected]”) and searching just for the prefix of the email, providing it’s relatively unique and not in firstname.surname format (unless that in itself is very unique). You may not find much nowadays from this approach, but you never know where you may get lucky, and particularly, the username angle is definitely worth considering. We’ll touch on Usernames in Part Two of this series, I think, as it’s a broad section in its own right.

With the email address(es) covered off using our combination of automated and manual research, then let’s take a peek at phone numbers.

Phone Numbers

So if we’re lucky enough to already have phone numbers for the subject, then great! We can leverage some tools and sources to get straight to work. And in most cases, it’s going to be difficult to find a phone number for the subject from Google dorks, but this is where we can think about fusing different pieces of information together. For example, if we get hits on data breaches for an email address, maybe the dataset will include a phone number or other useful information we can search on. In this example, you either need to pay for or develop your own plan of collecting that breach information in the first place. However, I think it illustrates how and why we need to cover all our bases.

So phone number lookups are “fun” if you don’t have the ability to leverage tools like SocialNet. But if you’ve followed my advice on setting up a sockpuppet account, then you should have a smartphone available for you to leverage. So assuming we have a number to search on, the most obvious way of checking it against services is adding it as a contact then going through apps one by one that allow you to check for your contacts on the service. From the top of my head you can do this across:

  • WhatsApp
  • Telegram
  • Signal
  • Kik
  • Snapchat
  • TikTok
  • Viber

There’s probably a lot more too. But this will be a useful way of practicing I’m sure. From using this method you may be able to find new images, information and content shared by the subject. Of course, you NEED a sockpuppet to do this safely and securely, but for most OSINT Practitioners, that’s standard practice.

But what else can we look at for phone numbers? Well luckily Sinwindie hooked us up there too!

phone attack surface

So again we have quite a broad surface area for looking at this, while social media etc. will require sockpuppet accounts, we can still glean a large amount of information by looking at different angles and information around the number. Here’s a couple of tools that can help us with enriching the information:

Free Tools:

  • Ignorant – Python-based CLI tool that will query a phone number against a couple of different online services including Instagram and Snapchat.
  • IntelTechniques – Along with a broad range of lookup tools, is the phone number section on the IntelTechniques website. Effectively you can search a broad range of services for a number at once and see each result in its own tab. This can also be done using the phone number tool in the virtual machine you can build using the OSINT Techniques books by Michael Bazzell.
  • NumVerify – An online service for verifying and getting information about a phone number. If you use Spiderfoot, this is a module contained within that. Free for up to 100 API searches a month

Paid Tools:

  • OSINT Industries – Already mentioned for emails, but OSINT Industries will also let you search against phone numbers and identify accounts.
  • ShadowDragon SocialNet – Similar to OSINT Industries, already mentioned for emails but also allows phone number searching.

The great angle for me with phone numbers is that you can usually tie them to a real-world persona more easily than you can with something like an email address, which can be more ephemeral in nature. It requires a combination of manual and automated research, but together they usually form a powerful combination. But to cover off the final part of our “what do we already know?” let’s think about social media.

Social Media

OSINT Techniques on X: "OSINT humor by @Sector035 https://t.co/JDLGe70Dzx"  / X

Similar to both email addresses and phone numbers, if we have some already-known social media, then we have a great launch pad to find other accounts or more information. And oftentimes, we’ll leverage the email or phone number to identify the social media accounts, and the cycle continues. Of course, for anything social media you need some level of obfuscation, so you’ll need a sockpuppet for manual research, or you’ll need one of the API-led tools like ShadowDragon (Note: While I love SocialNet, I do still find myself doing manual OSINT on social media profiles as I find it more intuitive personally).

So, with social media accounts, there’s a significant raft of information we can identify and then build from. Unsurprisingly, this can differ from platform to platform, and thus, it can be quite confusing. But our guy Sinwindie has our backs here, too. Here’s the full list of attack surface diagrams they’ve developed over the years. But let’s consider some of the biggest things we can identify on most platforms:

  • Name
  • Username
  • User ID
  • Bio Details (location, work, hobbies, interests etc.)
  • Posts made
  • Posts tagged in
  • Likes/Comments
  • Groups
  • Friends/Family

These are all things that can help us answer the intelligence requirement and find other avenues to explore (friends and family can often be very useful resources for further information). Now, you’ll likely find some profiles are private, and at the time of writing this, there’s no way around that beyond connecting the individual (which we DON’T DO as passive OSINT investigators). However, understanding the account exists and is there means we can do periodical checks to see if it opens up or if anything changes. Some commercial platforms may also be able to find posts that the private account is tagged in, but results may be hit and miss.

For a lot of engagements, I get that these known social profiles are usually things like LinkedIn, which is a useful starting point but often not ideal for the “whole picture” OSINT-type stuff. That’s where we can consider things like facial recognition to identify further accounts online, in addition to using email addresses and phone numbers to help identify online accounts. Unfortunately, there aren’t a huge amount of facial recognition tools we can use, and none that are free to use at the time of writing.

For accounts we don’t know about, we’ll need to do some old-fashioned investigating. So don your Sherlock hat, and off we go! Most platforms will give you reasonable search functionality, and a lot of time I find is spent doing this, looking for accounts, and using various combinations of information to ensure that there isn’t anything missing. This is one of the most laborious parts of a person’s OSINT investigation, as it’s a lot of trial and error and often looking at accounts unrelated to the subject. But it’s also key to ensuring a thorough job is done. Some commercial tools will help identify accounts, but you still need human verification and research to be fully confident before you write a report. I’ve seen instances where people have solely relied on an automated search and report from a well-known OSINT vendor without having done any level of assurance on the data. It makes both them and the vendor look bad, but the tool can only go so far, and an intelligence analyst is needed to do the analysis!

There’s also the issue of staying up to date with all the changes on each platform over time, not to mention the rise and fall of different services, which makes Social Media Intelligence (SOCMINT) kind of its own niche in many respects. While still OSINT, the pace of change and adaptability needed to be on platforms, understanding how they work and how we can exploit data to enrich our intelligence needs is a constant struggle. Thankfully, I think the OSINT community is actually one of the most well-rounded and helpful online communities I’ve come across. So, as long you tune in to the community, you can usually keep on top of things. Some great resources include Sector035’s Week in OSINT, which always gives a great roundup of OSINT-related news from the last week or so.  And Jake Creps OSINT Newsletter. Jake’s newsletter includes some OSINT news, tooltips, and advice on developing capabilities (for paying subscribers).

How to Build an OSINT Super Machine for People Surveillance and Sourcing

So now we’ve lined our ducks in a row, and have branched out across the information we already have and used that to lead our investigation further. Where do we go from here? Well I think there’s plenty of avenues left to explore:

  • Usernames
  • Facial Recognition
  • Websites
  • Public Records
  • Search Engine results
  • The Very Scary Dark Web

These are just starters. Depending on what we find during the course of research, there’s a million and one ways an investigation could go. I’ll write a second (maybe a third) part of this touching on the other areas soon.

Overall, while I tend to follow a loose checklist for each investigation, one of things that made me fall in love with OSINT in the first place was the sheer variety of investigations and how each case is different from the last. So while this methodology and approach works for me most of the time, I also have to adapt and be willing to change. Fortunately, being in control of my own investigations means I can have that adaptability and flexibility.

This has been a relatively long post so I’ll close it off here. But what is your approach? Similar to mine for the start of an investigation or radically different? Likewise do you use any tools or services for email addresses and phone numbers that I haven’t mentioned that you think are worthwhile? Let me know!

Until the next one.

AaronCTI

Cyber Threats & Open-Source Intelligence. Also known to enjoy craft beer, heavy metal and video games. Founder of Perspective Intelligence.

You may also like...