A Practical OSINT Methodology

Hello everyone, I'm Ahmed, aka PizzaSteve, and I will walk you through an OSINT methodology I have developed throughout the OSINT Fundamentals course by TCM Security.

Open-Source Intelligence (OSINT) is one of the most powerful skills for investigators, cybersecurity professionals, and researchers. Whether you're profiling a target, tracking digital footprints, or conducting lawful investigations, having a structured methodology is essential.

This post walks through an OSINT workflow step by step, combining practical notes with tools you can apply immediately.

1. Sock Puppets and OPSEC

Every OSINT investigation starts with preparation. Sock puppets are online identities that protect the investigator and allow access to information without exposing your real self.

Two approaches exist, creating a full fake persona with a name, photo and history or creating an avatar account that is clearly not real but still trusted in the community. Both require content, consistency, and patience.

• Persona Building - Create a believable identity. Use Fake Name Generator for consistent details (name, birthday, address).
• Profile Picture - Use This Person Does Not Exist or AI-generated images. Inspect closely and adjust flaws with GIMP/Photoshop.
• Devices & Numbers - Use burner phones with trial SIMs (Mint Mobile or equivalents) and Privacy.com burner cards for anonymity.
• Email & Accounts - Set up ProtonMail and Google accounts first. Always enable 2FA, then swap SIM to a more permanent option (MySudo, Google Voice).
• VPN/Location - Match your persona's geography with VPN exit nodes. Always separate work from your personal identity.
• Cleanup - Wipe phones and destroy SIMs after setup. Remember: tools may be blocked, but methodology stays.

Mistakes to avoid include using stock photos, rushing the account before it looks real, or reusing your own writing style.

2. Google Dorking

Google is your first weapon if you know how to ask. Dorking means crafting advanced queries to pull hidden gems.

• Operators:

site: -> Search within a specific domain

intitle: -> Find pages with keywords in titles

filetype: -> Pull PDFs, docs, xlsx, etc.

inurl: -> Spot parameters, IDs, or hidden paths

• Combinations -> Chain them for precision, e.g., filetype:pdf site:example.com confidential
• Creative Twists -> Use OR, quotes, and exclusions to refine. Example: "apple and grapes" site:x.com pulls exact phrase tweets.
• Key Reminder -> Search engines differ; try Bing, Yandex, DuckDuckGo for alternative results.

3. Image & Metadata Analysis

Images are data-rich if you know where to look.

• Reverse Image Search - Google Images, Yandex, and TinEye help track origins, duplicates, and context.
• EXIF Metadata - Tools like Jimpl extract GPS, camera type, or timestamp if metadata isn't stripped.
• Validation - Always verify, as images can be recycled or manipulated. Cross-reference EXIF with online clues.

4. Geolocation Techniques

OSINT often involves figuring out where an image or person is.

• GeoGuessr - Great for practicing landmark, vegetation, language, and road-sign recognition.
• Tips: Look for street signs, unique buildings, natural features, and even sun shadows for hemisphere hints.
• Cross-Check: Use Google Maps, Mapillary, or Wikimapia to validate.

5. Discovering Email Addresses

Emails are entry points into people's digital lives.

• Tools: Hunter.io, Phonebook.cz, VoilaNorbert, Clearbit Connect.
• Validation: Use Email Hippo or Email Checker to confirm deliverability.
• Tip: Sometimes Googling an email with quotes ("email@example.com") reveals leaks, profiles, or hidden mentions.

6. Hunting Breached Passwords

Breaches expose massive data pools. Checking them can reveal linked accounts and risks.

• Step 1: Check Databases - Dehashed, WeLeakInfo, LeakCheck, Snusbase, Scylla.sh, HaveIBeenPwned.
• Step 2: Correlate - A leaked email + password might unlock usernames, phone numbers, or more accounts.
• Step 3: Ethical Use - Never log in. Stick to analysis. Breaches show risk posture, not a free pass to intrusion.

7. Hunting Usernames & Accounts

People reuse usernames. Following them across platforms builds digital footprints.

• Tools: NameChk, WhatsMyName, NameCheckup.
• Enumeration: On platforms like Snapchat or Instagram, try subtle checks like forgotten password flows (cautiously, without triggering codes).
• Cross-Pivot: Once you confirm a username, connect to emails, phone numbers, or reused aliases.

8. People OSINT

Most tools are US-focused, but methodology applies globally.

• People Search Engines: WhitePages, TruePeopleSearch, PeekYou, Spokeo, That'sThem.
• Voter Records: VoterRecords.com can expose registration data (location, political leanings).
• Phone Numbers: TrueCaller, CallerIDTest, Infobel. Don't forget forgotten-password checks or creative tricks (using phone emojis, writing numbers in text).
• Birthdates: Use dorking, try "Happy Birthday John" site:facebook.com.
• Resumes: Filetype searches like filetype:pdf "resume" "John Doe" expose education, employment history, and skills.

9. Social Media OSINT

Social platforms are goldmines if searched correctly.

X

• Advanced Search - Filter by date, language, accounts, hashtags.
• Geolocation - Use near: operators to find tweets by location.

Dorking Examples:

from:Apple grapes site:twitter.com -> Tweets by Apple mentioning grapes

filter:images keyword site:twitter.com -> Tweets with images

Facebook

• Tools: Sowdust GitHub queries, IntelligenceX search.
• Pivot: Extract IDs from profiles, then plug into queries to see hidden content.

Instagram

• ImgInn - View public posts without login.
• Profile ID - Inspect page source for "profilePage_" string. Useful for enumeration and automation.

10. Website & Domain OSINT

Websites leave huge footprints.

• Tech Stack - BuiltWith shows CMS, frameworks, plugins.
• Domain Intelligence - Use DNSlytics, Domain Dossier, ViewDNS, DNSdumpster.
• Certificates - crt.sh reveals SSL certs and sometimes subdomains.
• History - Wayback Machine uncovers old content.
• Security - Shodan scans exposed services, ports, IoT devices.
• Malware - VirusTotal and urlscan.io analyze suspicious URLs.
• Monitoring - VisualPing alerts when sites change.

11. Business Intelligence

Organizations leave trails too.

• Databases: OpenCorporates, AI HIT for corporate records.
• Job Postings: Reveal tech stacks, infrastructure, and even internal software.
• LinkedIn: Track employees, pivots into emails, and potential phishing vectors.

12. Wireless OSINT

Wi-Fi networks expose physical movement.

• WiGLE - Maps global Wi-Fi SSIDs and geolocates access points. Useful for tracking devices, movement patterns, or locations.

13. OSINT Frameworks

Frameworks centralize and speed up workflows.

• recon-ng - Modular, command-line framework for automating recon.
• Maltego - Visual link analysis for connecting entities like domains, people, and companies.

14. Hunchly

• Purpose: Tracks your online investigation, automatically captures web pages, timestamps, and builds admissible evidence.
• Note: It's paid, but invaluable for structured, professional-grade investigations.

Final Thoughts

This methodology combines philosophy, tools, and workflow into a structured process. Every case is unique, so adapt the tools and steps as needed. The real skill in OSINT is not the tool you use, but how you connect the dots, validate the findings, and remain ethical in your approach.