Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!

Key Concepts

Notes

Ethical and Legal Disclaimer

• All techniques should only be used with explicit permission or on yourself
• OSINT can be weaponized; treat it as a dual-use capability
• Methodology matters more than any specific tool — sites go down, methods persist

Intelligence Life Cycle

• **Planning & Direction**: define who/what/when/where/why
• **Collection**: bulk of this course; systematic data gathering
• **Processing**: interpreting raw data
• **Analysis & Production**: connecting data points, building a narrative
• **Dissemination**: presenting findings to the client or authority
• The cycle is non-linear — expect to loop back repeatedly

Note-Taking Tools

• **KeepNote**: older but functional; hierarchical tree structure; Windows/Linux/Mac
• **CherryTree**: effectively the updated KeepNote
• **Notion**: cloud-based, shareable, good template support
• **Obsidian / Joplin**: well-regarded alternatives
• **OneNote**: solid if already in the Microsoft ecosystem
• **Greenshot** (Windows) / **Flameshot** (Linux/Mac): screenshot tools with annotation and obfuscation features
• Recommended workflow: screenshot + annotate → paste directly into notebook

Sock Puppets

• Purpose: conduct investigations without attribution back to the real investigator
• Two types: fully-built believable persona vs. a known-fake-but-respected pseudonymous account
• Key creation steps:
• Generate a fake identity at **fakepersonname.com** or similar
• Generate a synthetic AI face at **thispersondoesnotexist.com** (not reversible by image search)
• Use **Privacy.com** virtual credit cards to avoid financial attribution
• Acquire a burner phone + Mint Mobile SIM for phone verification; immediately migrate verification to Google Voice, then discard SIM
• Use a dedicated device never logged into personal accounts
• Use a VPN matched to the persona's claimed location, or a mobile hotspot
• Critical failure mode: logging into a sock Facebook account from a personal phone — it immediately syncs contacts and exposes connections
• Build account history before using it for investigation

Search Engine OSINT

• **Preferred engine**: Google; Bing and DuckDuckGo produce noisier results for people searches; Yandex preferred for image searching
• **Core operators** (work across most engines):
• `"exact phrase"` — forces exact match
• `site:domain.com` — restrict to a specific domain
• `-word` — exclude a term
• `filetype:pdf` / `filetype:xlsx` — filter by file format
• `intitle:word` — word must appear in page title
• `inurl:word` — word must appear in URL
• `intext:word` — word must appear in body text
• `*` — wildcard for unknown terms
• `AND` / `OR` — boolean logic
• **Useful compound queries**:
• `password filetype:xlsx site:target.com` — hunt for exposed credentials
• `site:target.com -www` — enumerate subdomains
• `"target name" -unwanted_term` — exclude noise
• **Google Advanced Search** (google.com/advanced_search): GUI version of all operators; also includes language, region, time range, and file-format filters
• **Time filter**: Tools → time range; useful for finding recent activity
• **Cached results**: accessible via Google; can reveal deleted content

Image OSINT

• Use multiple engines — each indexes differently:
• **Google Images** (images.google.com): best for finding exact matches
• **Yandex Images**: best for finding *similar* images and alternate photos of the same person; useful for missing persons
• **TinEye** (tineye.com): can surface pages that don't appear in Google
• Drag-and-drop or upload the image directly
• Practical use: verify if a profile photo is stolen (catfishing, fake sock accounts)
• Tool: **Jeffrey's Image Metadata Viewer** (exif.regex.info)
• Key fields to extract: GPS latitude/longitude, device make/model, date/time taken
• GPS coordinates → paste into Google Maps → exact location
• Modern platforms (Twitter, Facebook, Instagram) strip Exif on upload; photos sent directly (e.g., in fraud cases) often retain it
• Still operationally relevant as of course recording
• **Google Maps satellite view**: assess building layout, parking, access points, guard positions, employee behavior
• **Street View**: identify badge readers, door locations, dress codes, smoking areas (common social engineering entry points)
• Drone reconnaissance complements satellite imagery for current state
• For investigations: identify road access, remoteness, and discretion of approach routes
• Look for: license plate format, steering wheel side, road markings, architecture, language on signs, vegetation, weather clues
• Resource: long-form GeoGuessr strategy blog (linked in course) covering road markings by country, sign styles, driving-side conventions
• Tool: **GeoGuessr** (one free play/day; free 2D map version available) — practice identifying locations from visual cues

Email OSINT

• **Hunter.io**: identifies email format for a domain (e.g., `f.lastname@company.com`); lists known addresses; ~100 free searches/month
• **Phonebook.cz**: bulk email lookup by domain; good for harvesting large lists
• **Clearbit Connect** (Chrome extension): searches by company + role; reveals format and LinkedIn; ~100 free searches/month
• **Voila Norbert**: similar to Hunter
• Workflow: Google the target person/role → confirm name → use Hunter/Phonebook to identify format → guess address → verify
• **Email Hippo** (tools.verifyemailaddress.io): returns good/bad/unknown
• **Email Checker** (emailchecker.net): similar validation
• Caveat: false positives exist; use as corroborating signal, not definitive proof
• Entering an email on a login page and clicking "Forgot Password" can reveal:
• Whether the account exists (page advances vs. rejects)
• A partially masked recovery email or phone number
• **Risk**: triggers a notification to the account owner — use only on test/sock accounts, never on a live investigation subject

Password / Breach Credential OSINT

• Goal: find breached credentials tied to a target; identify password patterns; link accounts across services
• Think of it as "red yarn" — each data point connects to others
• Patterns to look for: repeated passwords, slight variations (e.g., `Summer2020!` → `Summer2021!`), shared hashes linking two accounts
• **HaveIBeenPwned** (haveibeenpwned.com): free; shows which breaches an email appeared in; no passwords revealed; supports domain monitoring alerts
• **Dehashed** (dehashed.com): paid (~$5/week, ~$150/year); most comprehensive; search by email, username, IP, name, address, phone, hash; returns plaintext or hashed passwords
• **Scylla.sh**: free, partial database; searchable by email, domain, password; good for quick checks
• **WeLeakInfo / LeakCheck / Snusbase**: paid alternatives to Dehashed
• **Hashes.org**: attempt to reverse (crack) a hash to plaintext

Username OSINT

• **Namecheckr.com**, **Knowem.com**, **Namecheckup.com**: scan dozens of platforms simultaneously; show where a username is taken vs. available
• Treat "taken" as "account exists there" — verify manually
• Export results to CSV/PDF for documentation
• Many apps reveal user existence (or full name) on login attempt or slow-type search (e.g., Snapchat's autocomplete)
• **Kik** (`kik.me/username`): often shows display name and profile picture — can be reverse-image-searched
• **Snapchat**: login attempt reveals "cannot find user" vs. valid account
• Don't overlook adult platforms if the investigation warrants it
• Comment and post history can inadvertently disclose location, employer, education, habits
• Even anonymous accounts leak identity through accumulated detail
• Search Reddit via Google: `"target term" site:reddit.com`
• Sort by new/hot/top to find time-relevant posts

People Search OSINT (US-Focused)

• **Whitepages.com** / **TruePeopleSearch.com**: best free people-search engines; provide name, address, age, relatives, phone
• **FastPeopleSearch**, **FastBackgroundChecks**, **Spokeo**, **411.com**, **PeopleFinder**, **That'sThem**: similar; results vary
• **WebMii**: aggregates web mentions, images, social profiles for a person
• Caveats: some data is outdated or wrong; verify any finding before relying on it
• All support reverse phone and reverse address lookup
• **VoterRecords.com**: searches public voter data for states that publish it
• Returns: registered address, party, race, gender, county, registration date, active/inactive status
• Highly reliable for current or recent address of a registered voter

Phone Number OSINT

• Start with Google: search the number with and without hyphens; try quoted strings; try spelled-out digits (used to evade bots on Craigslist-style posts)
• **Whitepages.com** reverse phone: often more accurate than Google alone
• **TrueCaller** (truecaller.com): crowd-sourced caller ID; reveals name if stored in another user's contacts; log in with a throwaway account — it uploads *your* contacts
• **CallerID Test**: quick name lookup; 5 free searches/day; clear cache/use incognito to extend
• **Infobel.com**: international phone lookup by country
• Forgot-password technique: enter phone on account recovery to get partial email confirmation (bidirectional linking)

Birth Date OSINT

• People-search engines often include age/birth year
• Google search: `"target name" birthday` or `intext:birthday site:twitter.com`
• Look for birthday congratulation tweets/posts addressed to the target
• Facebook and LinkedIn sometimes display birthdays publicly by default — check and remove your own if unwanted

Resume / Professional Profile OSINT

• Search: `"target name" resume filetype:pdf` or `filetype:doc`
• Check `site:docs.google.com`, `site:drive.google.com`, `site:scribd.com`
• LinkedIn via Google: `"target name" site:linkedin.com`
• Resumes can disclose: current employer, address, phone, email, certifications, timeline of employment

Social Media OSINT

• **Search operators**:
• `from:username` — all tweets by a user
• `to:username` — tweets sent to a user
• `@username` — mentions of a user
• `"exact phrase"` — phrase search
• `since:YYYY-MM-DD until:YYYY-MM-DD` — date range
• `geocode:lat,lng,radius` — tweets from a geographic area (e.g., `geocode:34.05,-118.24,10km`)
• **Advanced Search**: twitter.com/search-advanced — GUI for all operators
• **TweetDeck**: real-time multi-column monitoring; combine search operators in columns; track users, hashtags, geolocations simultaneously
• **Analytics tools**:
• **SocialBearing.com**: sentiment, hashtag history, tweet sources (reveals OS/apps used), top interactions
• **TwimExplore / Twitonomy**: similar analytics, interaction maps
• **MentionMapp**: visual graph of interactions and hashtags
• **TweetBeaver**: convert username↔ID (ID persists through username changes); download tweet history; find conversations between two users
• **Spoonbill.io**: tracks all profile changes over time (bio, name, pinned tweet, website)
• **Sleeping Time**: infers sleep schedule from tweet timing
• **TinfoLeak**: leak/analytics report; shows apps used, hashtags, mentions
• Graph search largely deprecated; cat-and-mouse game with Facebook's privacy updates
• Profile URL: `facebook.com/username` — right-click page source, Ctrl+F `user_id` to find numeric ID (persists through username changes)
• Search: People → filter by education, workplace, city to narrow results
• Search `photos of [person]` to find tagged photos not on their own profile — reveals associates and historical locations
• **IntelX.io** and **Sowdust search tools**: Facebook-specific search interfaces using entity ID
• Look at: About, Photos, Check-ins, Friends, Likes, Recommendations given/received
• `instagram.com/username` for public profiles
• Right-click profile picture → open in new tab → full-size for reverse image search
• **InstaDp.com** (`instadp.com/profile/username`): download full-size profile picture
• **ImgInn.com** (`imginn.com/username`): browse and download posts
• Find numeric user ID for tracking through username changes
• Use `site:instagram.com "target name"` in Google to find cached or cross-referenced content
• Username enumeration via login attempt
• **Snap Map** (`map.snapchat.com`): publicly posted Snaps plotted on a live map; filter by location to find content from a specific area
• Post and comment history is the primary intelligence source
• Search within a user's profile for location, employer, hobby, and personal detail slips
• Best accessed via Google with `site:reddit.com`
• Contact Info section may expose phone, email, birth date
• Activity tab shows recent posts even on otherwise restricted profiles
• Company page reveals team members, headcount, office location
• Connections list (if visible) maps professional relationships
• Recommendations show direct working relationships (named and described)
• LinkedIn Lion (LION) open networkers: connect to expand your network reach; don't mass-request unknowns or risk account restriction
• Public videos and profile accessible at `tiktok.com/@username`
• Profile picture: right-click → open in new tab → reverse image search
• Historical data from Musically era (predecessor app) may still surface via Google cache
• Likes and following lists may be visible; use as relationship mapping