OSINT Investigations

December 8, 2016 | Views: 10892

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

I am sure many people that use OSINT are aware of these tools and links; however, information, and acquiring that information from all sources, is relevant and should never be overlooked. Hopefully, this will come in handy for OSINT investigations.

I have listed some resources that are known within the hacker community in acquiring information on many entities, this includes all aspects of people and companies from email searches, username searches, phrases, phone numbers and even pictures.

Many of the resources are free however some do charge an access fee for a more thorough search. I am unable to suggest which of these services are worth the money as I have never paid for a resource as the information is out there somewhere and just needs to be found

  1. Understanding who owns a domain is very easy online, however sometimes a domain is protected by cloud flare, this can stop and investigation in its tracks very quickly. Without waiting time for policy and emails from a web hoster one is able to sometimes be able to get around Cloudflare and get the correct IP address with some handy online tools. These are: https://dnsdumpster.com/ and http://www.crimeflare.com/cfs.html
  2. One of the BEST Free DNS lookup tools on the internet: The NSA uses this. https://www.robtex.com/
    another noteworthy DNS tool to use is http://serversniff.net.w3snoop.com/ besides this the only one that comes to mind that will probably already be in your arsenal is http://whois.domaintools.com/
  3. Social networks can be used to find family relations however moose roots can be found to do the same thing without letting on that someone has looked at your profile. They are also good to find password reset questions. http://birth-records.mooseroots.com/ and http://marriage-divorce-records.mooseroots.com/ This one is good to be able to find sub-sites. http://www.mooseroots.com
    Another good site to mention is https://www.advancedbackgroundchecks.com/ this is great for background checks and a good resource to find a person’s location if one has a vague idea of where someone lives. https://www.advancedbackgroundchecks.com/
  4. While this site links off to other sites (some requiring money) it does give some good information. This is has gone downhill of late and is not as good as it once was, still worth mentioning though http://www.peekyou.com.
  5. Search for emails, names, usernames here: http://com.lullar.com/ Not as many of results returned as other sites. Though, in saying that, there are not as many links to commercial sites either.
  6. One of my personal favorites! http://checkusernames.com/ Not meant for profiling but works well for the task. Able to find a specific username on many sites. From there you are able to look at the profile that has taken the username. Saves time in checking out accounts on each site.
  7. This one is similar to the above website but claims to check over 500 sites instead. Probably a good paid site http://knowem.com/ this is beyond my financial capacity I have never used it but I understand from others that it is very useful.
  8. This was once a Spock “Single Point of Contact by Keyword). This has changed over the years and isn’t as good anymore. It changed when it was bought out by a company named Intelius. You are able to search; name, phone, email and screen name. Unfortunately only for US data and is now commercial. http://www.zabasearch.com/
  9. Able to search name, email, username and phone. Results can be noisy not to mention the links to paid sites. Can be a nice starting point to lead to other areas. https://pipl.com/
  10. This one is very similar to the above website good for footprinting: http://www.123people.com/ links that are given are for some paid and some not. I am unable to evaluate any of the commercial sites as I find it more of a challenge to find the information without paying.
  11. This one can be a bit of a tart or information tease. It gives some good results but most are for commercial sites. It is a good starting point to lead to other quires. http://www.spokeo.com/
  12. Search people by name or keyword. You’re able to use this as a username search as well I have found. http://webmii.com/
  13. Good to find where someone works. Much of the information is from LinkedIn or Indeed.com http://www.zoominfo.com/
  14. A picture finding website, this is good in finding duplicate pictures of a profile account to see it’s been stolen from another account or to be able to link the picture to other websites. http://tineye.com/
  15. Sometimes people upload documents or pictures but remove them. This site might help to find deleted info. http://www.archive.org/web/web.php
  16. This is the hacker search engine without going onto the deep web this is available for the surface users: https://www.shodan.io/
  17. Great site for a multitude of reasons. Online networking tools including a port forward tester phone number geolocator reverse email look-up and more. http://www.yougetsignal.com/
  18. Add-ons for Firefox can be very valuable. One, in particular, that I would name is Passive Recon: https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
  19. Another favorite of mine is http://www.yougetsignal.com/ go check it out! Many tools are available.
  20. Number one in my books Maltego: https://www.paterva.com/web7/index.php
  21. A paid version of the above is https://www.palantir.com/
  22. This one is pretty good too, should be in any OSINT investigators tool list: http://dradisframework.org/
  23. Linux tools: Metagoofil is great OSINT information gathering tools. Able to extract metadata from a target. Able to extract MAC address. This gives an attacker an idea of the hardware used in the network. Can be used to guess the type of OS running and the network names. It is also good at extracting network path information which can be used to map the network. Brute force is an available function with this tool. http://www.edge-security.com/metagoofil.php
  24. Google hacking database. OSINT is not complete without some google hacking. This helps in understanding Dorks and search quires while helping find information on google. https://www.exploit-db.com/google-hacking-database/
  25. FOCA is also a good network infrastructure mapping tool and can be used for OSINT. http://null-byte.wonderhowto.com/how-to/hack-like-pro-extract-metadata-from-websites-using-foca-for-windows-0155076/
  26. Social Engineer Toolkit. Tool for as you can see…social engineering. Includes spear phishing and web attack vectors. Can work with Metasploit: http://www.social-engineer.org/framework/se-tools/computer-based/social-engineer-toolkit-set/
  27. This tool allows us to gather the geolocation that is related to information about users from social networking platforms. http://www.geocreepy.com/
  28. This automates recon from, Linkedin, Jigsaw, Shodan and others. Good Linux tool https://bitbucket.org/LaNMaSteR53/recon-ng

*Others would argue that GREP, the Linux command, is better than all of these combined! I; however, wouldn’t go that far. It is very useful, though.

All the tools mentioned should get you off to a good start. Bookmark the sites! Trust me they will come in handy in some way or another. Please be good with this information. With great knowledge comes great responsibility! (Insert other cheesy movie quotes about responsibility) :p

A good hacker and researcher understand the following: Don’t be lame and use them for malicious activities. Or I WILL find you and make an example out of you!
Ok maybe over the top a little, but be responsible and don’t use it to DOX!

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Odd inquiry but know of anything regarding license plate validation, etc? Other than that, great article and thank you for sharing the information.

    • Hi SAWYERG 🙂 Validation as in if the car is registered? Yes. I am unable to provide details of “who” the car would be registered to. However there are some good programs that may be available in your country or state. These give the registration dates,the expiry and when it was registered, VIN, type and model of the car. For instance in Australia there are apps created for the specific states from the government body transport department. These are called “QLD Rego Check”, “NSW Rego Check”. Have a search within the app store for “Rego Check” If you havnt got an android phone. “Bluestacks” can be used as an emulator for PC and works great. Let me know if you need any more help. Thanks for reading mate!

  2. Very Great First Time I read this type of Information.

  3. Thank you for the list. Do you have any recommendation on a tool to store all this information? Perhaps inside Maltego or use Alienvault or EclectiqIQ?

    • EclecticIQ, typo

    • Hi Adam thanks for reading. With threat intelligence data it all depends on how secure you need to be and what other, if any, other services that are required. Here’s a link that may help in deciding a SIEM http://searchsecurity.techtarget.com/feature/Comparing-the-best-SIEM-systems-on-the-market
      Both of the ones you have mentioned are very good, they are both able to more accurately and efficiently make useful analysis of cyber threats. In saying that… out of the two you’ve mentioned I would more lean towards Alien Vault. Another to consider is LogRhythm.

      If I have misunderstood your question please let me know.

      • Thanks for your reply. I am still searching for a way to store a lot of information regarding targets (using Stix and Taxii). SIEM solutions are a bit different than Threat Intelligence platforms (in a SIEM data comes from ‘within’ (eg log data) while I am interested in data from the ‘outside (eg info on crime groups from Kaspersky) but I am still searching for a proper piece of software to store it all, be able to correlate data, hook into theat intel sources, etc to get one large coherent view of the investigated threat.

        • Not an easy one that hehe. The only thing that I’ve came across myself is CybOX and then I’m not entirely sure if that’s what you’re after. I’ll contact some friends on IRC and some FB groups and see what they come up with. If not, then it seems there is a good niche for a nice piece of software for devs to code 🙂 I’ll get back to you.

        • Ok excuse my ignorance, I’ll be honest with you, this is beyond my understanding. Though you’ve made me curios on what you’re actually asking. From your first comment Maltego as I see your question would probably be your best bet, that is if I actually understand what your saying lmao A friend has given me this link https://www.splunk.com/ Not sure if that would help. Another place that I found while researching your queiry is https://github.com/hslatman/awesome-threat-intelligence. Perhaps I will get some more info later. If I do I’ll make sure to let you know.

  4. Thanks for the good article. There where a few links on them who are new to me.

  5. Nice article and good compilation of these tools.
    well job done!

Page 1 of 212»
Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?