OSINT tools. Finding information about a person.

[Carding 4 Carders]

Define a goal - what exactly you want to know. Collect the data. Analyze it. Make adjustments based on new data and identify key points. Check the assumptions. Summarize. Now let's get down to the details.

Search by real name

Google dorks.​

With the help of correctly formulated queries, you can see the comments and likes of even closed accounts.

Some Google Dorks look like this:

• “John doe” site: instagram.com - finds an Instagram user by the exact name;
• “John doe” - “site: instagram.com/johndoe” site: instagram.com - hides the user's posts, but shows his comments under the posts of other accounts;
• “John” “doe” -site: instagram.com - finds a user outside of Instagram by the exact name and surname in various combinations;
• “CV” OR “Curriculum Vitae” filetype: PDF “john” “doe” - finds a resume with the same first and last names in PDF format.

If you know the first and last name of your character for sure, "wrap" them in quotation marks. Otherwise, Google will try to bring them to similar popular searches, which, however, differ from yours.

Do not limit yourself to Google: check the person also in other search engines - Bing, Yandex and DuckDuckGo. Perhaps they will show other information.

Special sites​

The following websites can provide information about real name, username, email, or phone number:

• https://pipl.com
• https://www.spokeo.com
• https://thatsthem.com
• https://www.beenverified.com
• https://www.fastpeoplesearch.com
• https://www.truepeoplesearch.com
• https://www.familytreenow.com
• https://people.yandex.ru

If you find yourself on similar sites, you can ask to be removed from there. However, the matter does not end there: you can surface in another base. Why it happens? The point is that companies buy the same data. By closing some sites, they post the same content to others. Therefore, it is difficult to completely delete your data.

As for investigative journalists: if the desired character has managed to clean up his digital traces, then you can try to search for him in new databases. To do this, it is worth looking at which domains are owned by a company that has a people search engine.

Search by username​

So, if the search by real name did not give anything or additional information is needed, we will look for it by username. Trying combinations of full name, e-mail name, or site domain that the person owns

The easiest way is to search for these combinations in search engines. You can also use special sites - socialcatfish.com, usersearch.org or peekyou.com. Or use Google Dorks again. For example, if there is a certain John Doe, presumably living in New York:

allinurl: john doe ny site: instagram.com - this query will find Instagram pages with the words “john”, “doe” and “ny”, which are in the URL of these pages.

If you have a whole list of keywords that may be in the username, you can use a small Python program that will generate all sorts of combinations of these words.

The following sites are also useful - instantusername.com and namechk.com. It is better to check the desired character on both, because the sites give different results.

There are also open source code for programs on the Github platform - for example, WhatsMyName. It has several tools, among them Spiderfoot and Recon-ng are intended for advanced search. However, some ISPs may block sites that WhatsMyName looks for, so it's best to enable a proxy or VPN first. However, it is always better to use them so that you are not revealed.

Do not forget the following thing: even if you find someone with the desired username, it is not a fact that this is the person you need.

Email​

Google dorks​

• “@ Example.com” site: example.com - Finds mailboxes on a specific domain.
• HR “email” site: example.com filetype: csv | filetype: xls | filetype: xlsx - Finds HR contacts in xls, xlsx and csv format on a specific domain.
• site: example.com intext: @ gmail.com filetype: xls - pulls the email IDs (in this case Gmail) from a specific domain.

Additional tools​

• Hunter.io - scans the domain for mailboxes and shows the schemes between them;
• Email permutator - generates combinations of mailbox names from first names, surnames, nicknames and domains;
• Proofy - Checks for the existence of an email. It is convenient to use if you have a generated list of email addresses. You can check several boxes at once.
• Verifalia - also checks the existence of a particular email. In the free version without registration, it verifies addresses one by one. If you register, you can run several at once.

Browser plugins​

• Prophet - based on the name, company and other data, predicts the name of the email and checks its existence himself. Compared to the rest, Prophet is capable of more detailed and complex searches.
• OSINT browser extension - contains many useful links, including for email search and verification. There is a version for Firefox and Chrome.
• LinkedIn Sales Navigator is a Chrome plugin that links a Twitter account to a person's corresponding LinkedIn profile and displays their email.

Merged databases​

Created by security expert Troy Hunt, Haveibeenpwned.com allows you to check if your passwords from email, Dropbox, Bookmate, Minecraft and other services have leaked online. The same site can also be used for investigative purposes: if you have your Pyotr Ivanov's email in your hands, you can see which sites he used with this mailbox.

Another option is dehashed.com. A free account offers about the same as the Hunt site, but a paid one will show passwords in plain text or in the form of a hash. If used purely from an investigative point of view, then a password search can show not only what sites a person used, but also the email that is associated with them. However, it is not a fact that what you found belongs to your Ivanov: passwords may not be unique, someone may use exactly the same password.

Phone number​

Sometimes people link a phone number to their Facebook account, so it will not be superfluous to drive the number into the search line of a social network. If Ivanov lives in America or Europe, try whocalledme.com service with subscriber bases. Mobile apps privacystar.com, getcontact.com and everycaller.com provide similar data. Try to look for others: perhaps among them there are those that are tied directly to the country of your character.

PhoneInfoga​

Perhaps the most sophisticated service for scanning phone numbers, and it only uses free resources. Works for any international numbers with great precision. The main thing is to have on hand Ivanov's country of residence, region, operator and type of connection. Next, PhoneInfoga determines the VoIP provider and other data with which you can continue to search for digital traces.

Android emulator​

Once again about security: in order not to expose your contacts and other data when using applications like PhoneInfoga, you can use an emulator - a program that creates a simulation of an additional operating system. Emulators exist in particular for Android systems.

Most apps work well with emulators, but some can crash like Viber.

Sometimes you can find out other information with the help of emulators. Some apps allow users to upload avatars, name and short bio, which can be found with a phone number. Among them:

• Bluestacks was originally created for gamers. There are versions for Windows, Mac and Linux. It runs without emulators, so it's easier to install than Genymotion.
• Genymotion - Used primarily by developers. There is also a free version for personal use. Works on Windows, Mac and Linux, you can connect other virtual devices.
• AMIDuOS - works only on Windows and practically imitates the Android environment. Installation is simple enough. The only negative is the price of $ 10.

Domains​

Google dorks​

And again, back to Google:

• Site: example.com - Search on a specific site.
• filetype: DOC - Searches for DOC files. You can also search for other formats - PDF, XLS and INI. If you need to find several types of files at the same time, use the "|" sign between them.
• Intext: word1 - search through pages of sites and sites that contain a keyword.
• allintext: word1 word2 word3 - search for keywords on a page or website. Related: example.com - Searches for web pages that the search engine considers to be similar to the one you specified.
• site: *. example.com - Shows all subdomains.

Whois​

Whois shows information to whom a web resource is registered or with whom it is associated, be it a domain, IP address, or an autonomous system. There are many Whois lookup services, including whois.icann.org and whois.com.

Reverse Whois​

Shows a list of domains registered to the same organization or email. The viewdns.info service has this capability, which also offers advanced features.

Same IP​

Sometimes a listing of sites on the same server can provide useful information. You can, for example, find subdomains or sites under development. This information can be verified by atsameip.intercode.ca and sameip.org.

Passive DNS information​

Regular DNS records show which IP address or name a site is bound to. If this information is not enough, it is worth turning to passive DNS information: services like RiskIQ Community Edition, VirusTotal or SecurityTrails allow you to see the history of domain owners or IP addresses.

Internet archives and cache​

WaybackMachine and Archive.today let you see previous versions of web pages, including view deleted ones. In addition, Archive.today offers users to manually save pages for the archive.

In addition to archive sites, Google has similar features. They can be found at cachedview.com or by searching for cache: website.com. Other search engines have similar things. However, remember that the cache shows the page as it was last indexed. That is, you may stumble upon a page with missing images or irrelevant information.

Another service, visualping.io, takes screenshots of the page at a specified time and sends a notification when changes are made.

Reputation, malware checking and referral analysis​

Before you open a site, it is better to check its reputation. This will help:

• www.siteworthtraffic.com - Analyzes web traffic (number of users, page views) and roughly estimates how much money a site gets for advertising on it.
• www.alexa.com - Analyzes web traffic, compares competitors, gives SEO advice
• www.similarweb.com is also engaged in analytics, shows information about the site's place in niche and geographic ratings, traffic sources, etc. In addition, it can do referral analysis - that is, it can show related domains based on outgoing and incoming HTML links.
• sitecheck.sucuri.net - scans sites for malware, suspicious files, site errors, blacklisting, etc.
• www.quttera.com is a free service, similar to the previous site o www.urlvoid.com - it also checks sites for viruses, and also provides information about the domain - IP address, DNS records, etc.

Search Engines on the Internet of Things​

Shows devices connected to cyberspace, along with information about open ports, applications and protocols. What search engines are able to do this:

• Shodan.io is a popular service with an open API and integration with many tools. Marketers use it to get information about their users and their location. Security professionals use it to find unsecured systems and devices connected to the internet.
• There are other options - Censys or its Chinese counterparts Fofa and ZoomEye.

The free Creepy tool determines location based on data from social media and image sites. The Echosec service can do the same, but it is paid: a monthly subscription to it will cost $ 500. There are exceptions for journalists and NGO workers.

Geolocation by IP address​

Many services, including iplocation.net, are able to bind an IP or MAC address to a real geographic location. If you know which WI-FI points your Ivanov has connected to, use wigle.net to find them on the map and then reproduce a detailed search in Google Earth.

Other usefulness​

• emporis.com is an architectural database featuring buildings from all over the world. It can be useful if you need to identify the building in the image.
• snradar.azurewebsites.net - search for VKontakte posts that are open to everyone and where there is a geolocation tag. Filters results by time.
• Photo-map.ru - can do the same as the previous site, but requires authorization.
• www.earthcam.com is a global outdoor webcam network. Useful for confirming a location.
• insecam.org - base with security cameras. The coordinates are approximate: they do not indicate the physical address of the camera, but the ISP address.

Images​

To find out where the image was used or where it first appeared, use the image search. It is found in the main search engines - Google Images, Bing Images, Yandex Pictures and Baidu Images. It is also worth using the TinEye service, whose algorithms differ from Google.

There is also an image search on social networks: Findclone and Findmevk.com for VKontakte, karmadecay for Reddit.

In addition, there are specialized plugins - RevEye for Chrome, Image Search Options for Firefox. Mobile apps like CamFind can identify things from the real world. And the Image Identification Project uses artificial intelligence for this.

If the image contains EXIF data (information about the camera, geo coordinates, etc.), then it is worth analyzing it. You can see (and change) them using any image editor or the small Exiftool program. There are also similar online services - exifdata.com and viewexifdata.com.

You can remove EXIF data using exifpurge.com or verexif.com.

Another resource, stolencamerafinder.com, identifies the camera by its serial number and searches the Internet for any other photos it took.

You can check the image for Photoshop and other manipulations using Forensically or FotoForensics. If you do not want to upload a picture to the Internet, use Phoenix or Ghiro programs. Ghiro's functions are more automated and more powerful than previous services.

If you need to sharpen the image, the following tools come in handy:

• Smartdeblur - removes blur, restores focus, and can also improve overall picture clarity.
• Blurity - removes blur. Runs on Mac only.
• Letsenhance.io - Enhances and scales the image online using artificial intelligence.

SOCMINT​

SOCMINT is a subsection of OSINT that focuses on collecting and monitoring social media data.

Facebook​

• Stalkscan - shows all publicly available information about a person.
• ExractFace - downloads data from Facebook for offline use and further analysis.
• Facebook Sleep Stats - shows an example of a person's wakefulness mode, taking online and offline statuses as a basis.
• Lookup-id.com - Finds profile or group ID.

Twitter​

• Advanced search on Twitter - speaks for itself.
• TweetDeck - a panel where the feed can be customized by combining tweets into thematic groups or columns.
• Trendsmap - Shows popular trends, hashtags and keywords around the world.
• Foller - Shows information about any open account, including tweets and followers count, lists, hashtags, and mentions.
• Socialbearing is a free analytics platform. Searches for tweets, timelines and twitter cards. Able to sort tweets and people by engagement, influence, location, mood, etc.
• Sleepingtime - shows the approximate wakefulness of public accounts.
• Tinfoleak - Shows the devices, operating systems and social networks used by the user. It also shows locations by correlating a user's tweets with locations in Google Earth.

Instagram​

• www.picodash.com - uploads statistics on subscribers of a specific user or selected hashtag in CSV format. Also uploads likes and comments.
• https://web.stagram.com - suitable for viewing and uploading videos and images.
• https://codeofaninja.com/tools/find-instagram-user-id - Finds the user ID. The user can change the account name, with the help of the ID you can not lose sight of it.
• http://instadp.com - Shows the avatar in full size.
• https://sometag.org - Searches for popular hashtags, locations and accounts. In addition, it compares accounts and uploads statistics on subscribers and hashtags.

LinkedIn​

• InSpy is a Python program that can find employees of a particular company. It also finds the technologies used in the company for the given keywords.
• LinkedInt - Finds e-mails of people working for the same company. Knows how to identify mailboxes also by a given domain, which belongs to the company.
• ScrapedIn is a Python program. Uploads information from a profile to an XLSX file.

OSINT automation​

If from all of the above you only need a couple of checks, then you can do without installing additional programs. And if a thorough and long search is ahead, it is better to use special software that will help save time. Before that, you will need to install an emulator - Buscador OS, running on Linux and sharpened specifically for OSINT. It is required for all of the following programs except FOCA.

SpiderFoot​

Processes more than 100 open sources[/URL] simultaneously, advanced customization is available. There is also a case filter: searching for all sorts of things about a person, searching for digital traces using search robots and search engines, black lists and other open sources to check for harmfulness and collect information. The latter is best suited for investigation.

theHarvester​

Simple but effective tool. Scans a domain and related information, collects mailboxes, DNS analyzes data. Uses search services Bing, Baidu, Yahoo, Google, as well as social networks - LinkedIn, Twitter and Google Plus.

Recon-ng​

Recon-ng performs similar functions. An excellent tool, control is carried out through the command line, there is an interactive tutorial. Among other things, it checks how the company is represented on the Internet. A similar service is Metasploit.

Maltego​

An advanced platform for analyzing complex relationships. In addition to collecting information, it calculates correlation and visualizes data. It allows you to display the relationships between structures - people, companies, sites, documents, etc. There is also a separate library of plugins "transforms", which makes it possible to carry out various tests and integrations with third-party applications.

FOCA​

FOCA (Fingerprinting Organizations with Collected Archives) downloads hidden information and metadata from uploaded documents, and also checks who created them, on which server and whether the printer was involved. The latest version of the program is only available on Windows.

Metagoofil​

Allows you to download ocuments from sites with subsequent analysis. Shows metadata as well. Works with pdf, doc, xls, ppt, etc. formats. Controlled via the command line.

 

[Carding 4 Carders]

OSINT. We find all the information by phone number.
No-BlackM is an open source utility published on the GitHub platform. This tool lets you find out more information about your phone number.

The more information you already have about a person, the better and easier it will be to identify them.

Installation and launch
Install the tool on Termux using the following commands:

pkg update && upgrade

pkg install git python

pip install requests bs4

git clone https://github.com/DataSC3/No-BlackM

Next, run:

cd No-BlackM

python No-BlackMail.py

To install on Linux, use the following commands:

sudo apt-get install git

sudo apt-get install python3

pip3 install requests bs4

git clone https://github.com/DataSC3/No-BlackM

Next, run:

cd No-BlackM

python3 No-BlackMail.py

To install the tool on Windows, follow the instructions:

1. Install Python (clickable);
2. After installation, open cmd and enter:
   pip install requests bs4
3. Download the tool repository from the link (clickable) and unpack it to a convenient location;
4. Go to the folder with the tool and launch the console using the keyboard shortcut shift + RMB (right mouse button).

Next, run the tool using the command:

python No-BlackMail.py

Enter your phone number in one of the following formats:

+1... | 1...

After entering the phone number, the utility will give you all the information found for this number.