This will be a living document and will get content added and/or updated as often as possible.
Open Source Intelligence [OSINT] describes a wide range of tools, applications, methodologies, and data sources used by security professionals, penetration testers, and threat intelligence analysts.
Some of the open source resources used during these investigations are social media platforms, public forums, and public records.
These are the general phases used in structured OSINT investigations and security assessments.
PLANNING
Always ensure the Rules of Engagement [RoE] have clear defined boundaries, targets, and limitations outlining exactly what systems, networks, applications, and/or physical locations are authorized for testing, as well as what will be excluded from the engagement.
– Define your objective — what are you trying to find and why?
– Identify your target — person, organization, domain, IP, username etc.
– Define scope — what’s in bounds and what’s out of bounds?
– Establish legal boundaries — are you authorized? What laws apply? (CFAA, GDPR, FCRA etc.)
– Define ethical limits — what will you and won’t you do regardless of legality?
– Identify what a successful outcome looks like.
– Determine who the findings are for and in what format they’ll need them.
– Document and have the RoE signed by all relevant parties before any work begins.
OPERATIONAL SECURITY
Investigators use public OSINT tools to assist with research and data correlation. To safely begin to Recon information, there are certain prerequisites that should be part of your field kit or hacker tool box to minimize your cyber exposure. You want to be aware of your Operational Security [OPSEC] to reduce attribution risk and minimize personal exposure during investigations.
– Set up a dedicated VM or isolated environment
– Use a VPN or TOR browsers, depending on required anonymity level
– Create sock puppet accounts with believable, non-attributable personas
– Disable WebRTC leaks and browser fingerprinting
– Keep investigation infrastructure completely separate from personal/work infrastructure
RECONNAISSANCE
Reconnaissance [Recon] is one of the first steps in executing a Penetration Test to better assist cyber security & business functions. When used by an attacker, Recon can indicate susceptible ways in which they can engage with targeted systems used to gain malicious, unauthorized access.
Passive Recon: Web based sources
Recon investigators will utilize free, public websites to allocate target data and information regarding domain name registrant history and site owner information, free browser extensions that help you crawl and scrape data from web pages and into a CSV file or Excel spreadsheet, or sites that check hundreds of social networks and domains for a target’s usernames.
Passive Recon “toolboxes” can consist of hundreds of websites and tools:
– Search engine dorking (Google, Bing, DuckDuckGo)
– Social media profiling (public posts, connections, check-ins, metadata)
– WHOIS and DNS lookups
– Reverse image searches
– Data breach databases (HaveIBeenPwned, DeHashed etc.)
– Public records searches (court filings, property records, business registrations)
– Shodan / Censys for exposed infrastructure
– Wayback Machine / cached pages
– Metadata extraction from publicly available documents and images (EXIF, FOCA)
– Job postings and LinkedIn for organizational intelligence
– GitHub and code repositories for exposed credentials or config files
– Dark web monitoring where applicable
Active Recon: Pentesting and Social Engineering
This involves direct interaction with systems or individuals where authorized by the Rules of Engagement [RoE]. This may include validating findings or testing exposed services in a controlled and legal environment.
– Direct website visits and crawling
– Port scanning (Nmap)
– Subscribing to newsletters or mailing lists
– Registering for public forums or communities the target participates in
– Banner grabbing
– Interacting with target’s social media profiles, and sending connection requests or messages
– Always investigate via sock puppet accounts only
Note: active recon carries a higher risk of detection — OPSEC must be airtight before proceeding.
Analysis
Once complete, the final step is a detailed analysis report of every step completed, every tool, application, and website used as well as screenshots, printouts, and any data files collected during the engagement.
– Organize and structure all collected data (Maltego, Obsidian, etc.)
– Cross-reference findings across multiple independent sources
– Build timelines of activity or events
– Map relationships between entities (people, domains, accounts, locations)
– Assign confidence levels to findings (confirmed, probable, unverified)
– Identify gaps and determine if additional collection is needed
– Document everything in a clear, structured, defensible format appropriate for your audience — whether that’s law enforcement, a client, or your own team
NOTE: As always, remember to follow basic cyber security best practices before any online activity.
OSINT TOOLS
Anonymous Email – is a web-based service that allows users to send anonymous, untraceable emails without creating an account, that functions as a secure forwarder, concealing the sender’s IP address and identity while delivering messages to recipients via its own mail servers.
Big Domain Data – can provide domain name registrant, history, and owner information.
Data Miner – is a free google chrome and edge browser extension that helps you crawl and scrape data from web pages and into a CSV file or Excel spreadsheet.
Know Em – will check over 500 social networks and over 150 domains for usernames.
Opsis – was designed to search for and aggregate information associated with usernames, emails, or names across social media and online platforms.
Privacy – allows you to create security-focused, virtual card services for privacy-focused online transactions.
SearX – is a metasearch engine that uses over 70 search services.
MITRE – is a corporation that was established to advance national security in new ways and serve the public interest as an independent adviser. They developed the MITRE Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK) guidelines for classifying and describing cyber-attacks and intrusions. They also created MITRE D3FEND – a cyber security ontology and knowledge graph that standardizes the vocabulary for defensive techniques and countermeasures.
TextNow – is the only free phone service provider with unlimited talk & text, free data for select apps, and nationwide 5G coverage—all in one convenient app.
Tuta – is a privacy-focused, end-to-end encrypted email service headquartered in Germany that offers secure communication tools including email, calendars, and contacts. Formerly known as Tutanota, the platform operates on a freemium model, providing free accounts with limited storage and paid plans that support custom domains and increased capacity.
Wayback Machine – is a a free, digital archive of World Wide Web sites, launched in 2001 by the non-profit Internet Archive. It allows users to view archived, “past-tense” versions of web pages by crawling and storing hundreds of billions of snapshots dating back to 1996.