OSINT Investigation Methodology
Every investigation should follow a repeatable process. This methodology is based on industry best practices used by professional investigators.
📋 Phase 1 — Planning
- Define the investigation objective clearly
- Identify the target: person, company, domain, IP, username
- Establish legal authorization and scope
- Document starting information (seed data)
- Set up a clean, isolated investigation environment
- Create a case management structure
🔍 Phase 2 — Passive Recon
- Google/Bing advanced search (dorks)
- Social media profile enumeration
- WHOIS & DNS record lookups
- Certificate transparency logs (crt.sh)
- Wayback Machine / archive.ph
- Paste site searches (Pastebin, IntelX)
- Data breach checks (HIBP, Dehashed)
📡 Phase 3 — Active Recon
- SpiderFoot automated scanning
- Shodan / Censys device searches
- Subdomain enumeration (Amass, Subfinder)
- DNS brute-forcing
- Email harvesting (theHarvester)
🔗 Phase 4 — Analysis
- Build a link diagram (Maltego, CaseFile)
- Cross-correlate usernames, emails, handles
- Timeline analysis of posts & activity
- Geolocation of photos/videos
- Network mapping (ASN, IP ranges)
- Identify aliases & alternate accounts
✅ Phase 5 — Verification
- Cross-check every finding against 2+ sources
- Reverse image search profile photos
- Confirm geo-matches with satellite imagery
- Validate emails with verification tools
- Check for date manipulation in images
📝 Phase 6 — Documentation
- Take timestamped screenshots (Hunchly)
- Archive URLs with archive.ph
- Maintain a chain of custody log
- Write findings in clear, factual language
- Generate structured HTML/PDF report
Google Dorking — Complete Guide
Google Dorks are powerful search operators. Never use them to access systems or data without authorization. This guide is for investigative and defensive security purposes only.
| Operator | Description | Example |
|---|---|---|
site: | Restrict results to a domain | site:example.com filetype:pdf |
intitle: | Search in page title | intitle:"index of" passwords |
inurl: | Search in page URL | inurl:admin site:example.com |
intext: | Search in page body text | intext:"api_key" site:example.com |
filetype: | Filter by file extension | filetype:sql site:example.com |
ext: | Alias for filetype: | ext:env "DB_PASSWORD" |
cache: | View cached version of page | cache:example.com |
link: | Find pages linking to URL | link:example.com |
related: | Find similar sites | related:example.com |
info: | Google summary of a URL | info:example.com |
numrange: | Number range search | numrange:1000-2000 |
before:/after: | Filter by date | site:example.com after:2023-01-01 |
- | Exclude a keyword | example.com -site:example.com |
"quotes" | Exact phrase match | "John Smith" "New York" |
OR / | | Either term | site:gov OR site:mil filetype:pdf |
* | Wildcard | "password is *" |
🧰 Useful Dork Combinations
# Find exposed config files
site:example.com ext:env OR ext:cfg OR ext:conf
# Search company employees on LinkedIn
site:linkedin.com/in intitle:"Example Corp"
# Find exposed Elasticsearch / Kibana
intitle:"kibana" inurl:":5601"
# Public Trello boards with sensitive data
site:trello.com intext:"password"
# Find email lists
site:example.com filetype:xls intext:"email"
# VPN/RDP portals
intitle:"Citrix Gateway" site:example.com
Image Analysis & Geolocation (GEOINT)
🔍 Reverse Image Search Workflow
- Start with Google Images for broad coverage
- Use Yandex Images for best face recognition
- Run through TinEye for exact duplicates
- Try PimEyes for face-only searches
- Check Bing Images for different index
- Always try the image URL and upload separately
- Crop faces/objects and search them individually
📷 EXIF Metadata Extraction
- Run ExifTool on any downloaded image
- Look for GPS coordinates (lat/long/altitude)
- Check device make/model for profiling
- Note date/time — adjust for timezone
- Software tag reveals editing history
- Note: Social media usually strips EXIF
🗺️ Geolocation from Images
- Identify landmarks, signs, vegetation, terrain
- Read text in images (language/script narrows region)
- Vehicle license plates suggest country/state
- Electrical utility poles differ by region
- Shadow angle can determine hemisphere + approximate time
- Match to Street View with Google/Bing
- Use Sun position tools for timing validation
🎬 Video Verification
- Extract frames with FFmpeg:
ffmpeg -i video.mp4 -r 1/1 frame%04d.jpg - Check upload date vs event date
- Use InVID Plugin for YouTube verification
- Cross-reference audio/weather/daylight
- Check YouTube DataViewer for upload thumbnails
- Wikimapia & Google Earth for location confirmation
Dark Web OSINT — Safe Research Guide
Warning: Dark web research involves significant legal and safety risks. Always operate within legal boundaries, use proper OPSEC, and never download files from unknown sources.
🛡️ OPSEC Setup
- Use a dedicated physical or virtual machine
- Download Tor Browser from official source only
- Use Tails OS for maximum anonymity
- Never log into personal accounts over Tor
- Use a VPN + Tor (VPN first, then Tor)
- Disable JavaScript in Tor Browser
- Never download or execute files
🔍 Dark Web Search Engines
- Ahmia.fi — clearnet access to hidden services
- DarkSearch.io — .onion search engine
- Intelligence X — pastes & dark web content
- Torch (onion) — oldest Tor search engine
- Haystak (onion) — 1.5B indexed pages
📊 What to Look For
- Mentions of target domain/email on paste sites
- Leaked credentials in dark web markets
- Company data in breach forums
- Infrastructure overlap (clearnet ↔ darknet)
- Communication channels (forums, chat servers)
Corporate & Business OSINT Guide
🔍 Company Research Workflow
- Identify registered company name & number
- Check OpenCorporates for global registrations
- Search SEC EDGAR / Companies House filings
- Map subsidiaries, parent companies, shell companies
- LinkedIn employee count & key personnel
- Check ICIJ Offshore Leaks database
- Financial records: Crunchbase, DnB, ZoomInfo
🌐 Attack Surface Mapping
- Run theHarvester/SpiderFoot against domain
- Enumerate subdomains (Amass, Subfinder, crt.sh)
- Map IP ranges (RIPE, ARIN, APNIC WHOIS)
- Identify cloud assets (S3 buckets, Azure blobs)
- Check GitHub/GitLab for leaked credentials
- Shodan/Censys for exposed services
👥 Employee OSINT
- LinkedIn employee enumeration
- Cross-reference with breach databases
- Hunter.io email format discovery
- GitHub profile search by company email
- Conference talks, papers, publications
- Social media persona analysis
📧 Email Pattern Discovery
# Common email formats to try
firstname@company.com
f.lastname@company.com
firstname.lastname@company.com
f_lastname@company.com
firstnamelastname@company.com
# Verify with Hunter.io API
curl "https://api.hunter.io/v2/email-verifier?email=test@company.com&api_key=API_KEY"
Operational Security (OPSEC) for Investigators
🖥️ Isolated Investigation Environment
- Use a dedicated virtual machine (VirtualBox / VMware)
- Use a VPN with no-logs policy for all research
- Consider Tails OS for the most sensitive cases
- Create throwaway accounts for research
- Never mix personal and professional accounts
- Use a separate browser profile or Tor Browser
🔒 Account & Identity Hygiene
- Create research personas with fake identities
- Use temporary/disposable email services
- Use virtual phone numbers (Twilio, TextNow)
- Store credentials in a password manager
- Enable 2FA on all research accounts
🌐 Browser OPSEC
- Use a dedicated browser for research only
- Disable WebRTC (leaks real IP)
- Use browser fingerprint protection (Brave/Firefox)
- Clear cookies after each session
- Block trackers with uBlock Origin
- Use private/incognito mode by default
📝 Documentation Best Practices
- Screenshot everything with timestamps
- Archive pages with archive.ph before they disappear
- Use Hunchly for automatic page capture
- Note your methodology for reproducibility
- Store all evidence in encrypted storage (VeraCrypt)
- Maintain a detailed investigation log
OSINT Quick Reference Cheatsheet
🔎 Given an Email Address
- → HIBP + DeHashed (breaches)
- → Hunter.io + Snov.io (company & format)
- → Epieos (linked Google account)
- → EmailRep (reputation & activity)
- → Holehe (social media registration)
- → Google:
"email@example.com"
👤 Given a Full Name
- → Google + Bing advanced search
- → LinkedIn + social media search
- → Spokeo + Pipl + WhitePages
- → Zabasearch + BeenVerified
- → Court records (PACER, CourtListener)
- → Wayback Machine (archived profiles)
📱 Given a Phone Number
- → Truecaller (caller ID lookup)
- → Spy Dialer (owner & carrier)
- → NumLookup + WhitePages Reverse
- → Google:
"555-123-4567" - → Thatsthem.com reverse lookup
🌐 Given a Domain
- → WHOIS (who.is, DomainTools)
- → DNSDumpster (subdomain map)
- → crt.sh (certificate transparency)
- → ViewDNS (reverse IP, DNS history)
- → theHarvester (email, subdomain harvest)
- → Shodan/Censys (open ports & services)
- → VirusTotal + URLScan (malware/behavior)
🏷️ Given a Username
- → Sherlock (300+ site check)
- → Maigret (3000+ site check)
- → WhatsMyName.app
- → Namechk + KnowEm
- → UserSearch.org
- → Google:
"username" -site:known.com
🖼️ Given an Image
- → Yandex Images (best for faces)
- → Google Images reverse search
- → TinEye (exact match search)
- → ExifTool (GPS & metadata)
- → FotoForensics (manipulation check)
- → PimEyes (face recognition)
Social Media OSINT Guide
🐦 Twitter / X Investigation
from:username since:2024-01-01near:"city" within:5km📸 Instagram Investigation
💼 LinkedIn Investigation
site:linkedin.com/in "name"🤖 Reddit Investigation
author:username subreddit:sub✈️ Telegram Investigation
@usernamesearch in Telegram🐙 GitHub OSINT
author:username extension:envgit log --format="%ae"