Drull's blog

"The sky above the port was the color of television, tuned to a dead channel."

How to do OSINT - A brief introduction.

This is a collection of everything I have learned about OSINT from various resources over the internet. Be aware that some of the tools presented here may change or stop working with time, which is normal. The most important thing you should get out of this is to learn the methods used and be able to replicate them.

The goal of this guide is to show the path one should follow when doing research on a target. The guide is divided in different sections covering a wide range of topics. Each one of them has their own tools that I recommend and use.

This page will be updated with time as I find new resources and new tools. Happy hacking.

What is OSINT?

Open-source intelligence is the collection and analysis of data gathered from open sources (overt and publicly available sources) to produce actionable intelligence. OSINT is primarily used in national security, law enforcement, and business intelligence functions and is of value to analysts who use non-sensitive intelligence in answering classified unclassified, or proprietary intelligence requirements across the previous intelligence disciplines. Read more.

OSINT is the first phase of hacking.

Keeping your data safe

Before starting, it is important to make sure that your data is secure and that you won’t reveal your true identity. Ideally, we are not going to interact directly with our target, but it is always essential to stay secure.

Password managers

You want to keep the information you are collecting as private as possible. In order to do that, it is essential to use a password manager like Bitwarden.

Other tips:

️Secure email

Another significant step is to use a secure email provider that offers encryption, such as Protonmail.

Other tips:


Before backing up your data in the cloud, it is encouraged to encrypt it. For that, you can use Cryptomator.

Sock Puppets

A sock puppet is a fake identity you assume on the internet so that you don’t give out your real data. This should never link back to your true identity. Sock puppets should look real and be active online to look more legitimate.

You must generate a fake profile and add fake data to it. This data should be the same across all the sock puppets’ accounts. Remember: women are better at social engineering. Don’t use other people’s photos, because that could be easily reverse searched. You can use something like this person does not exist.


Now it’s time to talk about search engines and how to better utilize them. When we are searching for something on Google, for example, it is very common to find a bunch of irrelevant and messy results. When we are doing an OSINT investigation, it is important to filter the good results from the bad ones. That’s why we use something called search operators.

Search operators

There are a number of commands you can use to refine your search results.

Bonus: - Google alerts can alert you of new search results for what you are looking for. - Google Hacking Database can provide you a list of interesting combinations using search operators. - Dorksearch for faster google dorking.

For people

If you are looking for a specific person, a good way to start is to look for the person’s name on a search engine. If you want something more specific, you can go over to whitepages or truepeoplesearch, although these websites are more focused on the USA.

Other options: - ufind - officialUSA - fastpeoplesearch - fastbackgroundcheck - webmii - thatsthem - xlek aka cubib - blackbookonline - pipl - paid/personal information required - findagrave - ancestry

Family trees - FamilySearch - FamilyTree - Geni

For criminal records

For businesses

If you are doing OSINT on a business, the first place to look at is their website and social media, specially LinkedIn.

For websites

Some data you can extract from websites are: technologies used, IP addresses, who is hosting it, subdomains, etc…

Other options:

For phone numbers

For searching phone numbers, you can first look for them on Google and see what comes out. If you don’t get interesting results, try searching with hifens, area codes or even spell the numbers. Play with the syntax. Even a phone emoji 📱 can be useful.

Other options:

For birthdates

If you want to look for someone’s birthday, try looking for that on Google and use search operators. Twitter is a great place to look at.

For resumes

Google and other search engines can easily help you find resumes. Try looking for images and PDFs. You can also look for the person’s name on LinkedIn.

Other options:

For IoT and connected devices

You can find vulnerable IoT devices on shodan.io and find IP addresses, location, open vulnerable ports (such as 3389) and more.

For aircraft

Most aircraft can be tracked down due to the unencrypted data transmitted. Every aircraft has a unique serial number and there are websites capable of tracking them, such as radarbox

Other options:

For license plates

Social media

Social media can be a goldmine for OSINT researchers. It is incredible the amount of data someone can get from a specific person just by looking at their profile. When analyzing someone’s profile, try to look for everything you can. Photos, relatives, workplace, check-ins, friends, interests, etc…


Tweets from a person can be very revealing, and usually people put everything about their lives online.

For Twitter OSINT, there are tools that can help you with your investigation, but you should start playing with the search bar. Twitter has search operators that can be used to narrow down the results.

Besides the standard search operators, Twitter has some specific ones, such as:




You can even look for geocodes with a km range. All you need is the latitude and longitude.

A full list can be found here

Other options:


On Facebook, you can use the search bar and narrow down some results.

Some search operators are:

photos of Mark Zuckerberg

Other options:


Most of the Instagram OSINT is covered in the photos section, but there are some tools that can be used.

Other options:


When investigating YouTube videos, it is useful to do some reverse image search on the content we are watching. In order to do that, we can use some tools like the citizen evidence amnesty usa website to pull extra data from the video and get thumbnails to search.


Reddit is a popular place on the internet where a lot of people post a wide range of different topics.


Snapchat has a map. You can look for snaps in a certain area.


LinkedIn is an awesome place to look for connections and work information of someone.


If everything you have from your target is a picture, extract everything you can from it. Is it a car picture? Does it have a plate? What’s the side of the steering wheel? What are the surroundings?

You can look for the image source by using a search engine that has a reverse image search feature, such as Google image search and Yandex.

Other options:

EXIF data

EXIF data is metadata that can be viewed from an image. It can reveal location, device used to take the picture, time and more.

You can use tools such as metagoofil to harvest data from different files.

Other options:


Deepfakes are gaining popularity quick, and they can be used in a bunch of different ways. As they get more real, spotting them becomes harder, so there are tools out there to help us detect deep fakes, such as deepware.

Physical locations

A lot of what was learned in the images section can be applied for physical location osint. You can view the area online and look for strategical spots that might be interesting to you.

Satellite images

You should check satellite photos of the location and absorb all you can about the place. Entrances, parking lots, employees and their dress code, badge readers, security, cameras… everything is important.

Credentials discovery

Data breaches are a great resource to use in order to find data breaches. It’s impossible to link them here for obvious reasons, you can look for magnet links on btdigg, btmet and for pastebins on psbdmp and similar websites.


whatsmyname and Namechk are good tools to see where a username is being used, and its accounts tied to it.

Other options:


Have I been pwned is a good place to look for emails that have been found in data breaches.

Other options:


When we are talking about passwords in OSINT, we are talking about finding breached credentials.

Real state

When investigating real state, there are some tools that can help us get access to public records, information on who is selling it, etc…

Some websites are: redfin, zillow and biggerpockets. Note that not every house is going to be available on those websites for you to check, but it can be useful in a few cases.

Deep web

Take caution when accessing websites in the deep web. Never reveal your true identity or use the same email to create accounts.

The deep web has a lot of websites that can help you find data breaches and other information that is not indexed in the surface web.


OSINT frameworks are basically a collection of tools in one place. Some of them are:

Report writing

You should write an easy-to-read report containing the information that you found about the target and the steps necessary to get to them. Good reports use a non-technical language should be accessible to anyone.