How to learn OSINT: Tools, courses and training
Open Source Intelligence (OSINT) is an important discipline to learn in the Internet age, where tons of information is freely available to all. It involves collecting and analyzing information from open, publicly accessible sources. In this article, we'll guide you through OSINT techniques, tools and training methods. Then, we'll talk about how to deepen your knowledge and become an OSINT expert.
Categories of open data sources
Before getting started, it's crucial to recognize the various sources of information used in OSINT. These can be grouped into several categories, each providing its own type of data. The main categories include :
Social networks: These platforms are a mine of relevant information, thanks to the public publications, comments and online interactions posted by users, which can reveal countless details of their private lives.
Public and government databases: Data made available by governments and public organizations constitute a goldmine of often reliable information.
Traditional media: Press articles, reports and official publications remain essential sources of information to confirm or refute your hypotheses.
OSINT information gathering techniques
In this chapter, we'll explore methods for searching and gathering information in OSINT. These techniques will enable you to refine your searches and obtain the most accurate and relevant results.
Find someone by their username
An excellent starting point for a survey is to search via a person's username. Being public and easy to obtain, the same username is often used by a person on all the sites they register on. This makes it an effective way of tracking all public accounts. This makes it easy to track the activities and traces left by users online.
People are accustomed to sharing their lives on Twitter or taking photos of the places they visit on Instagram. They may have entered their email address, whether personal or professional, on their profile.
Interact with people they know personally, which can help them find information through them. Or they may simply redirect to a profile containing their personal information on a social network like LinkedIn or Facebook. That's why it's important to understand how to exploit usernames, as this is usually the starting point for further research.
Searching with OSINT tools
The quickest and easiest way to track down a person's accounts is to use the many specialized tools available. Often free of charge, they can quickly search profiles on hundreds of sites. In just a few minutes, these OSINT tools can provide matches, offering an effective method of identifying the accounts associated with a given person.
Here are just a few of these tools:
Username Checker: This free online OSINT tool scans over 800 sites to find someone's profiles simply by entering their username.
Maigret: This free tool, downloadable from GitHub, lets you explore over 3,000 sites. Although it may generate a few false positives and can be a little slow, it gives a broad view.
Search engines and Google dorks
One of the disadvantages of OSINT tools is that unless a site has been manually added by the developer, it cannot be scanned. However, there is a more complete method, albeit slower and sometimes requiring a bit of creativity: the use of search engine results, dorks and operators.
The principle is simple: simply perform specific searches on search engines such as Bing, Google, Yandex, using dorks and operators into your queries. This approach enables you to perform highly precise web searches, allowing you to find accounts, pages and documents nestled deep in the internet thanks to referencing.
Some operators and google dorks useful for OSINT :
- site: : By using this prefix followed by a domain name, results will be restricted to that specific site. For example, if you type "site:facebook.com John Doe", the results will only come from facebook.com.
- « » or " " : If you enclose a phrase in quotation marks, the search will be exact. For example, if you type "John Doe New York", the search engine will only return results containing this precise phrase.
- - : When you use the hyphen followed by a term, the search engine excludes results containing that term. For example, if you type "John Doe -University", the results will exclude pages containing the word "University".
- cache: : By using "cache:" followed by the URL of a web page, you can access the cached and sometimes older version of the page before it is modified. For example, "cache:https://facebook.com/JohnDoe/" will take you to the cached version of the specified page.
You can further specify the search by combining several operators and dorks.
For example, if you combine the "site:" operator to restrict searches to a domain name and use quotation marks around a pseudonym to obtain an exact query, the search results will only include pages specifically containing the pseudonym you're looking for on the site you've specified.
It's important to note that there are many other operators and dorks that can prove useful. It's therefore strongly recommended that you do your research to make the most of this method.
In addition, don't hesitate to submit your queries to different search engines. Each has its own algorithm and its own methods of recommending and referencing sites. Some information may be obtained on Yandex and not appear on Google or Bing.
Find an email address with a username
Another way to advance your research in an OSINT survey is to use the target's email address. Unlike usernames, an email address is rarely public and can be more difficult to obtain. However, there are many methods that make it easier to acquire. Here are a few techniques for finding someone's email address:
Contact email
This method is simple, but it works especially well with professionals or individuals with professional ambitions. Simply go to all the person's social networks and read their biography. Some will mention their professional or even personal email address as a means of contact.
Password reset form
One of the most direct methods of obtaining a maximum number of email addresses, albeit the least discreet, is to use a simple password reset procedure. This allows you to discover an e-mail address despite the few letters revealed. However, it should be noted that this method may not be discreet, as some sites send a password reset email without prior warning before revealing the email address, which may alert the target person.
Here's how the method works:
For example, on Instagram, to reset your password, they ask for your username. Once entered, they offer to send a connection link.
I send it even though it might alert him. After sending the email, Instagram reveals the address partially.
We have: j******e@gmail.com. We can easily deduce that the address starts with "john" and ends with "doe".
However, there are 8 characters in total, of which 2 are displayed and 6 are hidden, whereas "johndoe" contains only 7 characters. This suggests that there is an extra character. Given that the only special character allowed by Gmail is the dot, it's likely that the person added a dot in between.
To be sure, just check by trying to connect to your Gmail account. When entering an existing email address, Gmail asks for the password, confirming that the email address exists and is probably that of the target.
If the email address does not exist, an error message is displayed.
You can also use the account creation form. If an error message indicates that the username is already taken, this means that the address exists.
Now that we know this e-mail address exists, we need to check whether it belongs to the right person. To be sure, you can use tools such as Google Hunt. This tool reveals certain public information about a Google account. Few people know that it's so easy to access and disclose private information such as photos, places visited, name and first name / username.
Here we can see that he's posted a photo of himself and has the same username as on Instagram. By searching instagram, we could find a photo of him, compare and be certain of the ownership of the email address.
Check if an email address exists
We've just looked at one method of determining whether or not an email address exists. However, it's crucial to know about other ways of verifying the existence of an email in case this technique doesn't work for some reason.
Haveibeenpwned.com: This site enables you to determine whether an e-mail address appears in known leaked databases. If this is the case, it means that the email address you are looking for exists and is being used.
OSINT email tools : Some tools, such as the Email Tracker, can be used to discover all the sites on which an email address is registered.
Search engines : Another technique is simply to search the Internet for the e-mail address. Using the operators mentioned earlier in the article, pages and documents can appear in search results with the email address inside, confirming its use and therefore its existence.
Email checker : A number of automated tools are available to check the existence of an e-mail address. Although they are not totally reliable, they can be used to carry out large-scale checks quickly.
Search by image (IMINT)
Knowing how to use images and videos as sources of information is extremely valuable. People often underestimate the amount of information they contain and share it on social networks, accessible to all.
Reverse image search
Reverse image search can help you uncover information, verify the authenticity of a photo, identify a location, find the original source or avoid misinformation.
Google Images / Google Lens: Google Images is designed to find similar, but not necessarily identical, images, especially since the addition of Google Lens, as its purpose is to provide information or help you better understand the context of an environment. Google Images can be very useful for identifying a location or obtaining more context on elements present in an image, such as an object or a building.
Bing Visual Search: Along the same lines as Google, Bing can't find identical images, but it's just as useful. It can provide complementary information to Google and vice versa.
Tineye.com: Tineye is an image search and recognition tool that allows you to find an image wherever it has been posted on the internet. You can find accounts associated with a person, check the origin of a photo or find it in better quality.
Yandex Visual Search: Compared to other search engines, Yandex adds facial recognition to its reverse image search, in addition to other features. If you try Google, chances are you won't find the person in a photo you've submitted, but Yandex makes it possible. Although this search engine is not perfectly well suited to sites mainly used in the West, it is still very powerful and can be extremely useful in OSINT investigations.
AI facial recognition
Recent months have seen remarkable advances in the field of artificial intelligence. Beyond the companies and software that try to exploit these technologies as a mere fad with no real utility behind it, there are nonetheless concrete cases of the use of AI in the OSINT field.
For example, there's Pimeyes.com, a pay-per-use online software available to the general public. It uses AI to perform facial recognition and find all the photos of a person. Although the subscription is not affordable for everyone, the results are simply impressive.
Exif photo metadata
Social networks such as Flickr and Tumblr store the Exif metadata of images when they are published. This can include information on camera settings, date and time of capture, copyright, GPS, etc. With an Exif Viewer, you can extract and access this information.
If you'd like to know whether or not a social network keeps Exif metadata on posted images, simply consult their privacy policies. It is often clearly indicated what metadata is stored.
Details in photo
As the saying goes, "the devil is in the detail". Simply paying attention can provide a wealth of information. All it takes is a glimpse of a local store, a type of road or a license plate in a photo to find a location. With the help of tools, you can easily identify the elements.
Search by location (GEOINT)
It may seem surprising, but it is indeed possible, with certain methods that actually work, to trace a person's movements, discover their place of residence and understand their habits from location information they have unwittingly left behind, sometimes thinking it was private.
Locating posts on social networks
On Twitter and Instagram, it's possible for the location of a publication to be indicated if the author activates this feature. Often used during vacations or special events by people seeking social recognition, this option aims to share with their followers where the author is located, providing a wealth of information, including places close to home.
If you're looking for specific photos taken by people in a certain area, for example to identify a location, there's a simple method for launching a search using GPS coordinates.
For Twitter, simply copy the GPS coordinates (don't forget to delete spaces) obtained from Google Maps into the Twitter search bar, preceded by "geocode:", then add, separated by a comma, the search radius in km around the coordinates. This will return all tweets published from that location.
Google reviews
Many people are unaware that their Google reviews are likely to be public. It's not just when you visit a business and see the reviews posted there. Thanks to the email address associated with the account and the Google API, with the tool Google Hunt, it's possible to deduce, or even simply read, a person's habits, place of residence and other aspects of their life based on their reviews and what they've mentioned in them.
Geolocation applications
Some application concepts are based on GPS tracking, as is the case with Strava, a social platform focused on tracking and sharing sporting activities. Users can record their journeys, evaluate their performance and share this data with the community.
This GPS information, publicly accessible via an individual's profile, can be used to determine the region or city in which he or she lives. It's even possible to find the address of the person who starts or ends his or her journey at home.
Free OSINT training, CTF and games
The best way to master a skill is to practice it as often as possible. If you don't have a specific goal in mind, or simply want to practice and deepen your knowledge, here are a few exercises and games to get you practicing.
OSINT Blogs
Some OSINT blogs worth reading:
OSINT Podcasts
Some OSINT podcasts to listen to:
Free OSINT tools
OSINT tools are not magic. Their purpose is simply to make repetitive tasks easier and faster. Depending on the situation, the data obtained and the type of target you're aiming for, you may find that none of the tools are useful, and that you need to use your own methods.
OSINT bootcamp
Bootcamps are an effective option for acquiring OSINT skills according to your learning preferences. Some offer a choice between a presential or online format. If you prefer to be guided by a structured program, bootcamps are an excellent option, and are accessible to all skill levels.
Some of these programs involve a number of experienced, big-name professionals to provide quality instruction. It's worth noting that bootcamps are obviously not free, but they offer a solid and comprehensive learning opportunity in the field of Open Source Intelligence.
Become an OSINT expert
You now have everything you need to learn and progress with OSINT. It's important to note that the methods and tools discussed in this article don't cover all possibilities, as they can vary from situation to situation. So it's crucial that you do your own research and don't limit yourself to the information presented here. Google is your friend.