Open in app

Member-only story

How to Find Information About Anyone

Joshua Moses · Follow
14 min read · 23 hours ago

Listen Share More

Are you looking for an old friend that you have lost touch with?

Has a relative met someone off the internet and something doesn’t feel right?

Are you that nosy person who must know everything about everyone?

Great news! You have come to the right place. I can teach you the skills that private
investigators have utilized for years.
We live in a world where everything is connected to the internet. That convenience
has its issues in that you give up a great deal of privacy when you have any sort of
digital footprint. When we investigate the details of a digital footprint, we are using
OSINT (Open-Source Intelligence) skills.

OSINT — Open-source intelligence refers to a collection of data/information by

exploiting publicly available resources.

Everyone leaves digital traces of their information; you just need to know how to
find them. The three main methods of collecting OSINT sources of information are
passive, semi-passive, and active. The usage of either one depends on the scenario
and how deep the data needs to be collected. Passive is the most used type as it
targets only publicly available resources. Another name used by us security
professionals for passive information gathering is reconnaissance. Semi-passive
gathers information by sending limited traffic to target servers, investigating lightly
without launching any alarm on the target’s side. Active gathers information by
interacting directly with the system.

The five steps of the OSINT cycle consist of Planning, Gathering, Analysis,
Dissemination, and Feedback. Due to the overwhelming sea of information,
reconnaissance is broken down into 5 sub-phases referred to the OSINT process:

Source Information — the initial phase where the individual identifies potential
sources from which information may be gathered. Sources are documented and
detailed notes are written down for later use.

Data Harvesting — information is collected and harvested from the selected sources
and other sources that are discovered throughout this phase.

Data Processing and Integration — harvested information is processed for

actionable intelligence by searching for information that may assist in the
investigation.

Data Analysis — the individual performs data analysis of the processed information
using OSINT analysis tools.

Results Delivery — the final stage in which OSINT analysis is completed, and the
findings are presented/reported.
There is a plethora of OSINT tools available, both free and commercial. The focus
will be on the most popular tools used in the OSINT process. The key thing to know
is that the OSINT process is about using bits and pieces of information and running
that information through a particular tool to discover more information about a
person or entity.

Utilizing multiple tools highlights the need for data integrity. Always remember, just
because it is on the internet… does not mean it’s true. Multiple sources of
information support a higher level of data integrity.

Google Searching and Dorking

Google Searching or simply Google, as you know is a web search engine and its main
purpose is to search for text in publicly accessible documents offered by web
servers. The first investigation tool is the search operators and other advanced
operators are located here: Search Operators

Google Dorking is known as Google hacking which are advanced search strings used
within a web browser. Checkout the Google hacking database here: Google Hacking
Database

Common operators are:

Intitle: return documents that mention words in the page title.

Inurl: restrict the results to documents containing that word in the URL.

Filetype: used to find filetypes.

Ext: used to identify files with specific extensions such as .log

Intext: search for specific text on the page

 Google Dorking

WHOIS

Wikipedia defines WHOIS as a query response protocol that is widely used for
querying databases that store the registered users or assignees of an internet
resource such as DNS, IP address block, or an autonomous system. Check it out
here: WHOIS Lookup & Domain Lookup

Spokeo

Spokeo is a search engine that searches by name, phone, address, or email to

confidentially look for information about people revealing all types of publicly
available information such as public records, criminal records, school records, etc.
For example, searching for John Brown shows many results, so the more specific
you are the lesser and better the output.
 Spokeo

There are many other similar websites like Spokeo such as Intelius, OSINT
Framework, Family Tree Now, Pipl, ThatsThem, US Search, Zabasearch, Radaris,
and many others. IntelTechniques.com provide online training, podcast, and books.
They are useful to see if any of your private information that is potentially damaging
information is not posted for everyone to see. Frankly, it is somewhat of a rather
difficult task to keep your own private information off the Web.

DataSploit

DataSploit is found within Kali or BlackArch Linux and is used to collect targeted
data on a particular domain, email, username, or phone number and then organize
the results coherently in HTML and JSON reports or text files. The information
DataSploit attempts to find our credentials, API keys, tokens, subdomains, domain
history, legacy portals, etc. Recon-ng and theHarvester are also other excellent and
useful tool that is also built in Kali Linux. The advantage of theHarvester over
Recon-ng is that it is faster and simpler to use.

Shodan

The popular OSINT tool is Shodan which is specifically designed for Internet-
connected devices including ICS, IoT, video game systems, and more. Shodan GUI
has more functionality and is used to view live camera feeds and can visually depict
geographically where vulnerabilities are located throughout the world. It gives a
huge footprint of devices connected online and is a gold mine for researchers to see
the exposed assets. An example of a use case is testing for default passwords.

Shodan.io

Maltego

The Community Edition (CE) of Maltego is free and is developed by Paterva and is an
inbuilt tool in Kali Linux. Maltego helps to perform a significant reconnaissance
against targets using several built-in transforms as well as the capability to write
custom ones. A user must register on the Paterva site before Maltego can be used. It
can footprint Internet infrastructure used on social networking sites and collect
information about the people who use it. Maltego will query DNS records, whois
records, search engines, social networks, and various APIs and extract metadata that
is used to find correlational relationships between names, email addresses, aliases,
groups, companies/organizations, websites, domains, DNS names, netblocks, IP
addresses, affiliations, documents, and files.

As I mentioned, there are literally hundreds of tools that you can use to complete
your investigation. If you remember to use data integrity as the foundation of your
investigation, you will more than likely find what you are looking for.

Government Records

Every day, more and more court systems are connecting their databases to the
internet. It allows the judiciary to access court records, and attorneys to review
cases, and it allows the defendants and public to pay bills, and fines and access
records when necessary. These court systems give us a level of access that is very
useful in open-source investigations. I generally start with the courts when I begin
an investigation. I’ve found that each state, county, and city have its own system and
not all are connected to the internet. Google has been very useful in finding these
court systems, but ultimately building your own list of court systems that have
public access is an investigation. Let’s take Alaska for example. I searched for Alaska
public court records, and after verifying a few of the results I found this link: Alaska
Appellate Courts. Note: You can search by Party Name.

OSINT Investigations has a page dedicated solely to court systems. Last year there
were over 150 million cases filed in federal, state, and local courts. When you filter
out traffic tickets and other petty crimes you are still looking at a huge amount of
data. But why should you care about Court documents?

1. Open source

2. Factual Data

3. Different picture

4. Millions of Data points

Court records paint a different picture of a person, they describe events. When a
person bought a house, marriage, military service, and criminal history. If you are
searching for criminal history, I recommend Judy Records.

The search feature is not the best and further investigation is required of the
returned results. For example, if you searched for felony theft, the returned results
would include theft but not felony.

Social Media Investigations

There’s an overwhelming amount of available OSINT tools for social media

investigations, but not to worry; this list can help streamline the decision-making
process. Keep reading about these seven OSINT tools crucial for social media
investigations.

Hashatit

Hashatit is like a Google search; the only difference is that it’s for social media
investigations. This free OSINT platform lets users search and sift through active
hashtags across many social media platforms, with any potentially related posts on
display in one place.

HASHATIT

The main benefit of Hashatit is that users can quickly filter search results or add
custom parameters with the help of the platform toolkit. However, remember that
Hashatit has limits: It is a platform focused on pulling data from major social media
platforms — and not from smaller chat forums, obscure network websites, or less
well-known message boards — so it could miss useful information.

Snap Map

In 2019, the popular social media platform Snapchat publicly released Snap Map,
which allows users to see geotagged posts shared by other users from across the
globe. Snap Map appears as a color-coded heat map, which helps to display the
activity level in a specific area.
 Snap Map

Snap Map is a highly reliable OSINT tool, primarily because it prevents users from
sharing false location coordinates on shared content. The tool even allows
researchers to pick individual snaps to see related images, videos, and comments. In
social media investigations, Snap Map can effectively find information on recent
events, such as natural disasters, breaking news, and much more.

IntelTechniques

Inteltechniques was founded by Michael Bazzell, a former FBI Cyber Crime Agent.
The username and names search tools allow you to search through many social
media sites for a specific person. Users have a habit of utilizing the same username
across multiple platforms. His tools will allow you to search those same usernames
throughout other platforms.
 IntelTechniques.com

Dating Sites

Many people use dating sites to find love or to find lust. As Kevin Murnane
illustrated in 2016, more people continue to use dating sites like eHarmony,
OkCupid, Tinder, Grindr, Plenty of Fish, Farmers Only, Ashley Madison, and
OurTime. With websites like this, a person can pay a fee and cut to the chase. What
are the intentions of the person signing up? Casual dating, hooking up, or serious
relationship/marriage?

Dating sites lend themselves to OSINT collection. Users are not verified to be using
valid pictures or data. While there are undoubtedly fake accounts as we learned with
the Ashley Madison data breach, users of these sites would probably rather give a
benefit of the doubt. The other side of the same coin points out that many users
pour their hearts out and share many intimate details that could be used against
them. Starting with the obvious, users typically put their zip code or other
references to their physical location.

This is not the fault of the sites, for the most part. The sites may ask questions that
are too invasive or possibly enable that level of oversharing. Going back a little bit
more, the users may use a username on that platform that they also use on a
different website, whether it be a different dating site or a regular social media
website. This is a potential vector for a stalker or an aggressor to move from the
internet to real life. Even if the user uses a fake first name or does not reveal their
last name, reusing the username negates any security protocol with this account if
their real name is used on an account with the same username. The profiler module
of Recon-ng or Micah Hoffman’s What’s My Name (the source of the Recon-ng
plugin), can take a username and enumerate where else that username is used.

Monster Crawler, DogPile, and WebCrawler are all alternative search engines that
allow you to reverse username search.

You’ve likely noticed that there are two different types of tools in the OSINT toolbox.
Tools that relate specifically to computer network devices and tools that are more
informational. Many of the tools overlap in their usefulness for either type, so I
encourage you to utilize both types of tools in your investigation. You truly never
know what you might find. The process of OSINT was born out of s process called
footprinting. Footprinting is what hackers do when they are performing
reconnaissance on a target. It is the gathering of information to use in the effort to
compromise the target. As information evolved along with the internet, hackers
realized that the same concepts and processes behind footprinting could be applied
to gathering intelligence on humans or organizations.

There are also tools that you can utilize to gather intelligence when you have
physical contact with the data source.

Check Browser History

If you have access to a person’s electronic device, you can check their browser
history. All visits to online dating sites and social networks will be there. It is very
easy to launch a browser on their device, open a new tab, and press CTRL+H.
Another way to do this is to go to the browser settings and select “history”.

Andriller

Andriller is a software utility for Windows Operating System with a collection of

forensic tools for smartphones. It performs read-only, forensically sound, non-
destructive acquisition from Android devices. It has other features, such as powerful
Lockscreen cracking for Pattern, PIN code, or Password; custom decoders for apps
data from Android (and some Apple iOS) databases for decoding communications.
 Andriller

WhatsApp Xtract

WhatsApp Xtract allows WhatsApp conversations to be viewed on the computer in a

simple and user-friendly way.

Skype Xtractor

Skype Xtractor for Linux and Windows is a Python tool developed for the Forensics
distro DEFT Linux 8. Extracts data from Skype’s main.db, including contacts, chats,
calls, file transfers, and deleted/modified messages from chatsync databases.

MOBILedit

MOBILedit is a platform that works with a variety of phones and smartphones (a

complete list of supported handsets is available on the manufacturer’s website) and
explores the contents of the phone through an MS Outlook-like folder structure. This
allows backup of the information stored on the phone, storing it on a PC or copying
data to another phone via the Phone Copier feature.

MOBILedit connects to cell phone devices via an Infrared (IR) port, a Bluetooth link,
Wi-Fi, or a cable interface. After connectivity has been established, the phone
model is identified by its manufacturer, model number, and serial number (IMEI)
and with a corresponding picture of the phone.

Data acquired from cell phone devices is stored in the .med file format. After a
successful logical acquisition, the following fields are populated with data:
subscriber information, device specifics, Phonebook, SIM Phonebook, Missed Calls,
Last Numbers Dialed, Received Calls, Inbox, Sent Items, Drafts, and Files folder.
Items present in the Files folder, ranging from Graphics files to Camera Photos and
Tones, depend on the phone’s capabilities. Additional features include the
myPhoneSafe.com service, which provides access to the IMEI database to register
and check for stolen phones.
 MOBILedit

Geolocation tools

Creepy is a free tool for locating people using social media and image-sharing sites.

Many sites help match an IP address with a location as IPlocation.net does. But if
you know the Wi-Fi points to which the target was connected, you can use Wigle.net.
This service will help you map and conduct a more detailed study.

Some other useful websites are:

EarthCam is a world leader in webcam content, technology, and services.

Inescam is the world’s largest catalog of CCTV cameras online.

Images

Google Images, Bing Images, FaceCheck and Pimeyes allow you to perform a reverse
image search to see where else they were used or when they were first published. I
also recommend using the Tineye service as it has slightly different algorithms than
Google, which means the results may differ. Researchers can identify people by
their avatars because people rarely update their social media profile photos. It can
also be useful to debunk fake news. A journalist can perform an image search in
combination with filtering.

You can use special tools to find images depending on purpose and format. For
example, Findclone and Findmevk.com can be used for Vkontakte, while
Karmadecay is better for Reddit. You can also install browser extensions such as
RevEye for Chrome and Image Search Options for Firefox. Or download the mobile
app CamFind for iOS.

The image itself contains much EXIF ​data, such as camera information, geo-
coordinates, and other details. If it’s not removed, some interesting things can be
found. For example, if you know the geo-coordinates, you can determine where the
picture was taken. For this purpose, you can use image editing tools or online
resources such as Exifdata or View EXIF Data. To remove EXIF ​data from your
image, you can use EXIF Purge or VIEW AND REMOVE EXIF ONLINE.

If you need to find out if the image has been somehow altered or faked, you can use
the application to conduct a forensic examination. If you don’t want to upload the
image online, analyze it locally with Phoenix or Ghiro.

Businesses

By now you have probably already realized that for each type of investigation, there
is a specific set of tools that are useful based on the target. Businesses have their
own tools but are also an investigative target where many of the tools that you utilize
for computer networks, as well as the informational tools can all be very useful. Like
any other investigation, I always start with my passive sources. Each state has its
own database of businesses that are licensed in that state. The Secretary of State
Division of Corporations is publicly accessible. For example: Missouri and New
York.

You can look up business filings and find out who owns the business, members of
the board of directors, and many other useful facts. You can then take the data that
you have pulled from the business filings and search other places, such as the SEC
(US Securities and Exchange Commission) or OpenCorporates. Of course, you
always want to reference the Better Business Bureau.