OSINT: How to find information on anyone?

Ever wondered how you can find someone online?

Have you been trying to find someone online, specifically perhaps by using an email address, or username? Open Source Research (OSINT) techniques are what you should really be looking for. Right?

How to track someone online?

Concerning the term OSINT, you may have come across the term within the darker areas of the web, along with other words that may have a negative connotation (thanks to media). Therefore, you may be put off reading further. However, don’t be put off dear reader, this article may enlighten you.

Consequently, the same word can mean different things to different people. With regard to the term OSINT, it can mean many different things to different people. Doxxing, fullz, digital footprint, and digital trail, all have a similar meaning (accepted the end result is often quite different).

Find anyone online
Find anyone online

You have likely already performed OSINT without realizing it. Essentially, means a lot of things. OSINT is a valuable skill set for Investigators, the security department, intelligence units, risk managers, and cyber security experts. To sum up my brief introduction, in this article, you’ll learn everything (well, a lot anyway), about OSINT and how to go about using it in your daily life. Most importantly, it may lay the tracks for a new and marketable skill set.

What exactly is OSINT?

OSINT is short for Open-source intelligence. Most importantly, it refers to a qualitative and quantitative approach to collecting, evaluating, interpreting, and making decisions about data from open source areas, and is used for intelligence purposes.

Where did OSINT all start?
Where did OSINT all start?

What is this data I’m looking at? Open-source intelligence is often used to gather massive amounts of data. Indeed, is that wrong? hackers are known to do this, along with other members of society for investigative purposes. Considering the negative history of data leaks online, namely how the media talks about hackers, this may cause you to think OSINT is wrong. Above all, you may be thinking you’re out of your league.

Do you need to be a super tech? no. Inasmuch as you don’t need hacking or cracking skills, just an investigative mind and the ability to access a website. Regarding those seasoned among us, you may have gasped at the point. Specifically, what we mean is, to begin with…you can pick up basic levels of OSINT with very little technical know-how.

These public areas of information are accessible and can be found if you know where to look. Above all, you also need to know what to ask..and what tool to use.

The sources could be news posts, magazines, specialist journalists, social or mass media, research, Google, geospatial information, other mapping tools, press conferences, public government reports, telephone directories, hearings, dissertations, patents, technical reports, financial assessments, and every other platform where people drop information.

How old is OSINT?

In the United States, the history of OSINT can be dated back to 1941. Specifically, the Federal Communication Commission created the Foreign Broadcast Monitoring Service (FBMS). Most importantly, it was changed to the Foreign Broadcast Intelligence service (FBIS). As a result, it was used to monitor foreign broadcasts. The agency used public information from news and media sources outside the United States to monitor and analyze information

What is OSINT?

After the September 11 attacks, in November 2005, the US National intelligence committee absorbed the FBIS under the auspices of the CIA. As a result, it merged with other research bodies to become the new open-source center, Open Source Enterprise. Consequently, the center was tasked with collecting information from databases, press, radio, geospatial data, video, commercial imagery, and the internet.

The site grew, largely thanks to its success. Consequently, it became the central location to train analysts in interpreting data.

Common Applications of OSINT


There are sites all around the country that are used to gather intelligence. Namely, the Police Bureau of Investigation, National Security Intelligence, and Special Branch. That is, these bodies are used to gather information and investigate crimes / terrorist organizations, or people that pose a threat to others. Regarding the targets, they are typically people who can be very discreet, they know how to be anonymous.

OSINT was made an official profession by the CIA?
OSINT was made an official profession OSINT was made an official profession by the CIA?

Hire Workers

Organizations need people, and they need them to be skilled. Therefore, public and private organizations can and usually do, use OSINT to perform background checks on staff prior to giving them a job. Above all, this is of particular importance to them, if their positions are very sensitive. The background check validates the information provided by the workers to confirm how genuine it is. Consequently, it can include checking the past job performance of the workers, police records, and academic performance.

Cyber security

As the years advance, it’s a common theme that Cybersecurity is becoming an increased cause for concern for most organizations. As a result, it’s particularly alarming when you see reports of large websites being hacked by cybercriminals and their data stolen. OSINT is used by these organizations to gather public security exposures of their websites prior to them being exposed publicly or taken advantage of by criminals. Namely, this kind of task typically falls to the local IT department and it starts usually, with suspicious visits to their website.

Cyber Security and OSINT

These techniques are used by security experts to check the security network of a firm. It is used to check the network for weaknesses, bugs, and other loopholes that can be dangerous.

Indeed we refer to organizations, but it’s just as important these days to perform this kind of check on your own online presence. In addition, you can benefit from damage remediation, network footprinting, and penetration testing.


Companies that focus on content, use OSINT techniques to check the genuineness of their content. Furthermore, organizations will use open intelligence to assess students’ assignments, research works, and projects for plagiarism. So, the use of copyright images and contents can be tracked, and articles and written literature can be checked for plagiarism.

Manage risk and investigate fraud

Experts concerned with managing risks and investigating frauds can use OSINT to track fraudulent activities, fake products, diverted commodities, and other internet activity. Therefore, it will minimize risk exposure and potential losses, resulting in identifying risk recovery processes.

Other common application of OSINT includes tracking cryptocurrency, due diligence, phishing, and deep and dark Web. Above all, the quality of the information gathered can heavily depend on the tools you use, the source used, and the way you entered your search.

Common OSINT techniques

Always ask questions

As a beginner, the first technique to be familiar with is asking questions and asking rightly. For instance, OSINT can be viewed as operating a little like search engines. Inasmuch as If you don’t ask the right question, you won’t get the correct answer! (and knowing if the answer is incorrect is a challenge in itself).

Always ask questions and keep learning!
Always ask questions and keep learning!

First, before you even type in a google search, you need out some goals, such as what is the most ideal outcome, and the worst outcome. With this in mind, you should list out the questions that can help you achieve those goals, and formulate a strategy on how to achieve them.

Data Collection Approach

Collecting data: to begin, there are typically two core ways to do this, active or passive.

Concerning the active approach, you will be directly in contact with the target and gather data on the go. In contrast, that can be pretty risky, why? The investigator will be potentially tracked by the target. As a result, if the target gets alerted, they will and can track and trace the investigation source.

Regarding the Passive approach, it does not link you directly with your target, making it the safest option for Investigators. Specifically, investigators can get historical data from third-party sources. Indeed the data might not be 100% accurate, which can be a challenge.

OSINT tools and resources

Performing online (or offline) data collection can be time-consuming. For instance, trying to identify whether an email address has been used on 10 different dating websites, could take all day. In contrast, to do this within a reasonable time, it would be best to become familiar with OSINT tools and resources. Have a good idea of what the best tools are available, and bookmark some good how-to articles. Afterward, they will make combing through open data sources easier. Next, with the available OSINT tools, you can simplify your method of collecting data, analyzing data, attributing intelligence reports, and accessing databases.

Understand the OSINT Framework

Artifact types, whether you’re looking for a username, email address, or phone number, require different sets of skills and tools. Additionally, these tools can largely be seen in the popular OSINT Framework. Indeed, OSINT Framework is one of the most comprehensive collections of free and paid tools to use for gathering information. Furthermore, the site filters resources into appropriate categories based on what you’re looking for.

The categories include social networks, public records, videos, photos, digital currency, archives, the dark web, and more.

OSINT in the open – examples of open-source intelligence

Sourcing data through Open Source Intelligence is as easy as checking your dictionary for definitions. They include;

  • Asking questions about anything on any search engine.
  • Research communities on how to fix your mobile phones.
  • Watch a YouTube video on how to prepare any local or international meal.
  • Check your friends, friends, on social media.
  • Google a username.
  • Google an email address.
  • Use reverse search tools.
  • Exif data within pictures.

How do experts perform OSINT?

OSINT is a very dynamic method of collecting and analyzing public data. Furthermore, there are different ways of sourcing its data. With this in mind, experts and intelligence bodies operate discreetly to be able to collect information without being identified.

They collect information anonymously by using VPNs to hide their identity. At the same time, the OSINT analyst first examines the sources of information to ensure that there are no elements that can affect the accurate interpretation of data in the future.

Always have the right tools for OSINT!
Always have the right tools for OSINT!

Social media and OSINT

Over 3.6 billion people in the world are active on social media, making it easy to access plenty of information on the different platforms. Consequently, the amount of information on social media platforms, makes it an open intelligence source.

Social networks store information on names, marriage status, email, username, birthday, education record, career, etc. Furthermore, they will hold years of online activity, allowing them to practically plot your life.

Investigators use OSINT to trace criminals’ attack sources on social media. In other words, they search and use the information on the different social media platforms to get important information about missing persons, criminals, or victims of hurt cases.

Is OSINT legal or ethical?

We all know this stuff is used by hackers, spies, and criminals, and the media likes to remind us, daily. Considering this, are we breaking any laws by gathering information used to threaten or carry out harmful attacks on individuals and organizations, using OSINT? OSINT, used by the right people, does good.

Is this stuff legal then?
Is this stuff legal then?

So, it saves lives, finds missing persons, catches bad guys, and stops scammers with these techniques. We use it to get information that protects people, grow businesses, and zero in on criminals and terrorist organizations

The short answer is, yes.

Why should you use OSINT?

Indeed, OSINT can be beneficial to security teams and other analysts. Most importantly, whatever the good guys can do, the bad guys can do. Regulation of OSINT is important, to avoid breaching people’s privacy and mishandling the information available. With this in mind, imagine the unprotected ability to find someone online, searching for usernames and email addresses of people without oversight.

OSINT tools: An expanding list


Shodan is a search engine used by hackers to gather information on the web. Specifically, it presents information or search results in a pattern that suits security experts. Gathering security-related information, network and digital assets are a great tool for evaluating information and Shodan provides information on all devices linked to the network.

Shodan - the go-to tool for hackers to gather information on what security-related information is available on a domain.
Shodan – the go-to tool for hackers to gather information on what security-related information is available on a domain.


This tool is very popular in the OSINT security community. In addition, it’s good for finding/visualizing data, including usernames and email addresses, and social media profiles. Specifically, if you want to find someone online, this tool has a very good chance of doing it. The uniqueness of this tool is that it converts search results to graphical representations that make analyzing results easier. For instance, it can help you develop a digital identity that tracks your target. Private use is free, business use does have a charge.

Maltego showing username and email maps
Maltego showing username and email maps


Tineye is a tool used for searching images on the web. For instance, it uses machine language, neural networks, and pattern recognition to get results on millions of images online. With the tool, you can discover if an image has been uploaded anywhere online, and the exact location where it was uploaded. The tool features watermark identification, image matching, Tineye alert system, a mobile engine, color search API, and signature identification.

Tineye reverse image lookup
Tineye reverse image lookup


This is another great tool for reporting on domain and email information. It was built in Kali for crawling and analyzing websites.

Google Dorks

This tool is great for finding information in Google that perhaps, would not be indexed and searchable, had the owner of the information had a choice. Also, it lets you enter Google queries that pull this information out, view, and analyze.


The tool Metagoofil is a useful OSINT application that was developed by Christian Martorella. Its accessed via a command-line interface, so you need to be familiar with cmd.

It can be used to pull out metadata on documents, such as creator, old versions, old dates of modification, etc.

The command line is will let you narrow down the search to the type of document you need on local download, reporting results, or collecting metadata from a particular domain.

Search code

The tool scans computer code for particular functions, operations, variables, or bugs in a code segment. It saves you from needing to review the codebase. So, you can search based on programming languages, or by inputting your target code.


Recon-ng is another excellent tool a user can use to search for information on targets. Also, its pre-bundled in Kali and uses the modules to get results. In addition, it comes with many different modules, and the modular approach allows you to get information based on your specific need. For better results, use the modules alongside the domains on the workspace.

Recon-ng is a great tool for searching targets online. However, you need to be comfortable in using the command line.
Recon-ng is a great tool for searching targets online. However, you need to be comfortable in using the command line.

Recorded Future

AI has been topping the game in all we do and is not left out in OSINT. Consequently, Recorded Future is an Artificial Intelligence-based tool that helps to predict trends and analyze big data; it uses structured data, AI algorithms, and unstructured data to help predict future trends. With this tool, users can get both past and present data trends for OSINT data.


UserSearch is a website that allows you to search for social media handles available anywhere online using usernames and emails. Thanks to using this tool, investigators have greatly increased the speed of online investigations. It saves countless hours browsing through individual social media sites and checking their profiles.

Furthermore, using a reverse lookup tool like this means your search is more targeted, and results are optimized. It will give the URL of the profile associated with the username. What does that mean? it saves you searching hundreds of social media networks to lookup usernames, manually.

Reverse lookups on dating sites can detect and find hidden dating profiles based on the email or username.
Reverse lookups on dating sites can detect and find hidden dating profiles based on the email or username.

You can quickly see their profile for free. This kind of search engine is known as a reverse username search or a reverse email search.

This works using web crawlers to check hundreds of sites per second, on if a user profile exists. It will check social media profiles, social networks, crypto forums, general forums, and dating websites. All the local social network areas you would expect people to gather online essentially do this.

To sum up, the tool also offers a premium package where it provides more advanced features, for $6.99 per month, which you can cancel at any time.

Usersearch lets you perform large reverse uername and email searches across the web to find anyone!
Usersearch lets you perform large reverse username and email searches across the web to find anyone!

Are you an expert yet?

So, there you have it. You can do a lot of things with OSINT. If you’ve ever asked the question, how do I search for someone online, usernames and even email addresses of people, while thinking to yourself it may be too much trouble…now you know. After all of that, you now have OSINT skill sets.

Open-source intelligence is a resource tool to harness in achieving a lot. If you are new to the security field, the information provided in this guide is one of the primary resources you need to get your career going.

Interested in learning more? Check out these related articles: