EMAIL AND PHONE NUMBERS

OSINT

Introduction
Open-source intelligence (OSINT) investigations for email addresses and phone numbers
involve gathering publicly available information to learn more about the owner of these details.
Below is a general guide for conducting such investigations ethically and legally

Email Address OSINT investigation

1) Search Engines

A) Use Google, Bing, or DuckDuckGo to search the email address in quotes (e.g.,
"[email protected]").

 Check if it appears on websites, forums, social media profiles, or news articles.

 Find public mentions on website, forums, or social media.

2) Social Media

Test the email on popular social media platforms (Facebook, Twitter, LinkedIn, Instagram).

 Many platforms allow reverse searches using email addresses.

 Try the email on platforms like Facebook, LinkedIn, Instagram, or Twitter.
 LinkedIn Reverse Search
 Facebook Graph Search (manually try variations)
 Login page analysis
 Use Sherlock to scan multiple social media platforms for usernames matching the
email.

Install: git clone https://github.com/sherlock-project/sherlock.git

Run: python3 sherlock.py email username

3) Data Breach Checkers

Use tools like Have I Been Pwned to check if the email address has appeared in data
breaches.

Tools

 https://intelx.io/
 https://dehashed.com/
 https://weleakinfo.io/

Steps: Enter the email to uncover past breaches, passwords, or connected accounts.

Goal: Look for other connected data points like associated usernames, domains, or linked
accounts.

4) Email Validation Tools

Services like Hunter.io, VerifyEmail, or EmailRep can provide information about the domain,
reputation, and creation details of an email.

5) Reverse Image Search

 If you find an associated profile picture, use reverse image search tools like Google
Images or TinEy
 If an email account has a public profile picture, perform a reverse image search on
Google Images or TinEye to find similar profiles.e to find other accounts linked to the
image.

6) OSINT Platforms

 Tools like Maltego, Recon-ng, and Spadefoot can automate email investigations and
uncover connected entities.
 in-depth mapping of the email's connections to domains, IP addresses, and social
media.

7) Metadata Extraction from Emails

If you have access to an email

Steps -:

 Analyze headers using an email client or tools like MXToolbox.

 Data to look for:
 Sender’s IP address.
 Originating domain.
 Hosting provider.
8) Domain Analysis

Steps:-

 For custom domain emails (e.g., [email protected]):

 Use WHOIS Lookup to identify domain owners and hosting information.
 Check SPF/DKIM records for legitimacy at MXToolbox

9) Code Repository Discovery

Check platforms like GitHub, GitLab, or Bitbucket for code contributions linked to the email.

Search directly or use tools like Email2Git.

10) Email-Specific Dorks

A) Exact Email Searches

1. Find exact email mentions:

"[email protected]”

2. Search for email on a specific site:

"[email protected]" site:example.com

3. Wildcard search for domain-based emails:

*@example.com

4. Find obfuscated versions of an email:

"example(at)example.com" OR "example [at] example.com"

B) Social Media and Forums

1. Search on Twitter:

"[email protected]" site:twitter.com
2. Search on Facebook:

"[email protected]" site:facebook.com

3. Search on Reddit:

"[email protected]" site:reddit.com

4. Search on LinkedIn:

"[email protected]" site:linkedin.com

5. Look for profiles mentioning the email:

"[email protected]" intitle:"profile"

C) Data Breaches and Paste Sites

1. Search on Pastebin for leaks:

"[email protected]" site:pastebin.com

2. Search on Ghostbin or similar paste sites:

"[email protected]" site:ghostbin.com

3. Look for email-related data in text files:

"[email protected]" filetype:txt

4. Find leaked email credentials:

"[email protected]" AND "password"

D) Domain and Company Email Discovery

1. Search all emails under a domain:

intext:"@example.com"

2. Look for domain-based emails in PDFs:

"@example.com" filetype:pdf

3. Search for emails in spreadsheets:

"@example.com" filetype:xls

4. Look for emails in Word documents:

"@example.com" filetype:doc
E) Admin and Registration Information

1. Search for admin accounts:

"[email protected]" inurl:admin

2. Find registration details linked to email:

"[email protected]" inurl:register

3. Look for account creation information:

"[email protected]" "create account"

F)Email in Public Discussions

1. Search for email in blog posts:

"[email protected]" site:blogspot.com

2. Find email mentions in forums:

"[email protected]" site:disqus.com

3. Search for discussions about the email:

"[email protected]" AND "discussion"

G) Associated Data

1. Search for phone numbers linked to the email:

"[email protected]" "phone"

2. Find addresses linked to the email:

"[email protected]" "address"

3. Discover usernames linked to the email:

"[email protected]" "username"

H) Advanced Operators

1. Exclude specific results:

"[email protected]" -site:linkedin.com

2. Combine multiple operators:

"[email protected]" AND "login" OR "signup"

3. Search for cached results:

cache:example.com [email protected]
  Tips for Using Dorks E ectively

 Experiment with Variations: If the exact email doesn’t return results, try variations (e.g.,
"name at example dot com").

 Combine Keywords: Use combinations like "[email protected]" AND

"password" to narrow your search to breaches.

 Exclude Irrelevant Results: Use the - operator to remove unwanted results.

 Example:

"[email protected]" -site:linkedin.com