There is no silver bullet when it comes to OSINT, some things will take time. Just work the problem, take the small wins and inch forward. And, of course, use these powers for good.
Additionally, be aware of operational security (OPSEC) - managing your online footprint (aka "attribution"). When conducting OSINT recon, you will leave a footprint behind. Be aware of this. Are the tools you're using tracking you/holding on to your data? If you obtained information privately, should you really blindly trust an unknown tool?
Say you've been given an image and need to identify the location.
-
As a starting point, narrow the search area (e.g. to a country, state, city, etc.) - consider any context given.
Too broad a search space can be paralysing, so narrow it down and have a crack at something.
-
Identify points of interest
- Distinct buildings
- Foliage
- Weather events
- Architecture or style
- Landscape
- Potential references to locations, times, etc.
-
Gather info and search. Use tools to your advantage. Work the problem and narrow down possibilities. e.g.
- Reverse image search
- Look at maps and streetview to match area
People are sloppy online. Whether that's leaking info on social media or committing a private key to a public repository. A combination of tools and Google-fu to help scour the web for you can help you quickly identify points of interest.
- Scope the problem - what are you after?
- Do some basic recon
- Google-fu: filter sites, dates, etc.
- Perform a domain lookup
- Enumerate social media accounts
- Follow up the interesting stuff
- What can you do with the info you have? Does it unintentionally give away extra detail?
- Look at archived versions of what you're after (perhaps a comment was deleted). Nothing really disappears from the internet
This happens to everyone. Don't stress.
-
Take a break
Disconnect from the problem so you can come back with fresh eyes. Don't try to solve it in the back of your head. Disconnect
-
Try the dumb stuff. It's often simpler than you think
"Surely not... No wa- oh, yep. That was it."
-
Retry what you've already done
Odds are that you were on the right track at some stage. Perhaps you just went a little wayward. Give it another go - use a different tool, modify your search query, change it up a little to see if it gets your further
-
Talk to someone
Maybe you know someone with experience in a particular area. Use it. Or, oftentimes, you just need a rubber duck.
-
Fail fast
Try something new for a little while - and before you get too attached to this new approach, is it worth pursuing?
Tools are by no means the answer to absolutely everything, but they drastically speed up your process. Understand what it is doing on your behalf and don't be a script kiddie.
Below is a list of tools that are primarily free to use. Should this list fail you, BlackArch has a great list of tools
Image Analysis
- Reverse image searches
- Google, Duckduckgo, bing, TinEye, Yandex, etc.
- Search By Image Chrome extension (includes Google, Bing, Yandex, etc.)
- Add keywords to go with the search
- Try cropping the image before searching, this may yield different results too.
- Google lens
- Exif tool, e.g. Jeffrey's Image Metadata Viewer
Maps
- Apple, Google maps - Apple has some excellent 3D visualisations of major cities
- Google Earth - useful for annotating maps, saving sessions, examining flight paths, etc.
- Streetview and photospheres
Wireless network mapping
- WiGLE.net - identify locations of SSIDs, MAC addresses, etc.
People lookup
- Social media
- Whitepages (Aus specific)
- Zoominfo.com + google-fu
Weather events and historical data
You often just search until you find a site that suits your needs. Consider:
- Weather reports
- Bushfires
Flights
Somehow this comes up more often than you'd think.
N.B. most sites only retain data for ~2 weeks
- Flightradar24 (free-ish) - flight paths, historical data, etc.
- WebTrak (Aus only) - Used to track aircraft noise, but has decent historical data
- Planemapper and other various sites that containing info about plane regos, flight numbers, departure + arrival times, etc. With these sites, you often just search until you find one site that gives you the info you need.
Lookup tools
Internet Archive
Social media enumeration
- Whatsmyname, Github
- Social-Analyzer, Github
Google fu
- Boolean searches
((a AND b) AND (c OR d)) NOT e- Use
-eto exclude results related toe - Use
+fto include results related tof
- Use
- Advanced searching (Google dorking)
- Ranges, e.g.
1..5 - Related
~term - Filters:
inurl:SECRET=site:github.comfiletype:.pdfintext:"resume"- Date -
before:1989,after:1988-12-25
- Etc.
- Ranges, e.g.
- Anonymous searching - use Google cache to avoid touching the website's server
cache:<search>- Copy the sites cache link: Kebab menu > "cached"
- Paste URL and add
&strip=1to view text-only version (so no images contact the server)
The interwebs are flooded with Google Fu cheatsheets.
Paywall Bypass
- 12ft.io
- Browser dev tools
- Tracelabs VM - a Kali box targeted towards OSINT. (The site also lists the tools included)
- BlackArch Social Tools - list of tools
- https://coveryourtracks.eff.org - browser fingerprinting
- https://www.osintcombine.com/osint-bookmarks - list of useful bookmarks
- https://www.exploit-db.com/google-hacking-database
- https://www.bellingcat.com/
- https://inteltechniques.com/
- Chrome Extensions