What exactly is OSINT?

“Open Source Intelligence (OSINT) involves the collection, analysis and use of data from openly available sources for intelligence purposes.”

This is some bookish answer, we're going to learn what is OSINT like a human.

Imagine you're a modern-day Sherlock Holmes, but instead of magnifying glasses and deerstalker hats, you wield search engines and social media sleuthing. Welcome to the world of Open Source Intelligence, or OSINT, where the internet becomes your playground and anything that is out there in the public domain might be a clue just waiting to be discovered.

You would be the detective here and to find clues you will scour the internet. As an example let’s say you have commented on a post where it says “those born in 1999 are 25 years old now” and by this you have posted your birth year on the internet.  It might seem a little bit uncanny but you can get a lot of sensitive information lurking the internet in your plain sight.

Where is OSINT being used?

• Government: Essential for national security, counterterrorism, and public sentiment analysis.
• International Organizations: Supports peacekeeping efforts and aids humanitarian organizations in crisis response.
• Law Enforcement: Used to prevent crimes, monitor social media, and protect citizens.
• Journalism & NGOs: For investigation and fact-checking.
• Businesses: Employs OSINT for market research, competitor analysis, and cybersecurity to safeguard financial interests.
• Cybersecurity and Cybercrime Groups: OSINT serves as a foundational tool for hackers, penetration testers, and those conducting social engineering attacks.
• Financial institutions: As part of the due diligence process, before entering a new contract.
• Terrorist Groups: Unfortunately, OSINT is also exploited by nefarious entities for planning attacks, gathering information, and spreading propaganda.
• ‍Human Resources: For background checks on potential candidates.

Now we’re going to dive deep into the practical world of OSINT. Disclaimer: This article is for educational purposes only.  

We’re going to find out where a picture was taken.

This is our reference image. Let’s find out where this image was taken or where this place is. We’re going to use IMINT or imagery intelligence techniques. New tools for imagery analysis appear every day, and some of them require advanced technical skills. But even simple IMINT and SOCMINT (social media intelligence) techniques can give good results and sometimes it’s enough for you to find out the location of an image.

Your first step should be always finding the EXIF data of an image. Metadata2go is being used here, but you can also use other EXIF data viewer tools. To use metadata2go, simply download the image and drag and drop it.

EXIF data can include the date and GPS location, indicating exactly when and where the photo was taken, as well as information on the device used. If the EXIF data was still enclosed in the picture file, you should see something like this:

As you can see the location data is stored as GPS coordinates.

If the photo is posted without removing this EXIF data (on a blog, a website or in a conversation on an instant messaging app), this information can be found pretty easily using tools like metadata2go or even by checking the properties of an image. These data are called metadata and whenever you take a picture that very picture is attached with the metadata of your location, date ,devices, iso, lens length etc etc…

You can search the coordinates on Google Maps and BOOM you have the location of that image just by extracting the metadata.

In our reference image, the location was Brighton, and you can see the coordinates lead to Brighton. Note that most social networks will automatically strip EXIF data from pictures, but the case is different for instant app messaging like Whatsapp, Telegram etc.

Reverse image search:

Use a search engine. You can use:

1. Google Images
2. TinEye

While your search may not return the exact same picture, the suggestions can provide you with an answer. Is there a landmark, a monument, or a particular view of a city? Can you spot similarities from your picture and the found results?

See? It showed the exact same location but the result won’t be the same if the image is not  of high quality. Enhance it as much as possible before running it through any search tool (but NOT before extracting the EXIF data!). The clearer the image the more chance you have to find the location. Always pay attention to the details of the background. 

When working with a selfie, you are still able to extract valuable information by paying attention to the background details. Is there a road sign, or a raccoon? Can you identify the color of the penguin? Sometimes, simply googling that information along with descriptive search terms (“mountains”, “river”, “penguin”) can do wonders. What about a penguin riding bicycles in front of the Eiffel Tower? Yes, you can search for that too (just go wild!).

Alternatively, you can use the all-in-one Fake news debunker by InVID & WeVerify browser extension on Chrome, which combines picture enhancing and reverse search engine tools.

Social Media:

Look for tags and comments on social media. Sometimes, you can find juicy information in the comment section. Just because someone is careful enough not to post their actual location doesn’t mean that their friends or followers will be as considerate. They can comment like “aww it reminds me of your last place” and that person will leak sensitive information like location without even knowing it.

At times, there could be a picture lacking any distinguishing geographical features or specific things but with a person could be tagged because they happened to be there too. Check their profile to see if they posted their own photo of that moment, which might include additional details or tags

Finding the owner of a site:

Establishing a connection between a specific individual and an online business can be vital for law enforcement or investigative journalism. Additionally, verifying a company before hiring them for a specific task is very important. Although individuals may use various methods to conceal their association with a website, it doesn’t mean you can’t try.

To unmask a owner of a site you can use these techniques and tools:

• Website search
• Domain registry: icann
• Social media and advanced Google search: Google Dorking 
• History of a webpage: Wayback Machine
• Reverse IP lookup and IP history: ViewDNS.info

Searching the Website:

First, begin your search by inspecting the website itself. Websites often have an “About” page or “Contact us” page that could provide the name of the owner or at least someone from the company, which would give you a starting point to continue your research. If they have a privacy policy page you can also look there for potential information about them and their organization.

The Icann Lookup: 

When someone registers a domain, they have to provide a name and address to the domain name registrar — this would be GoDaddy or a similar company. This information is publicly available and can be searched with tools like the Icann Lookup. As an example let’s try facebook.

With Icann, you can find the country, name, address, phone number, and email of the website registrant — here, “Meta Platforms, Inc”.

Note that some hosting companies offer their customers the possibility to hide their name and address for a small fee. In that case, it will be “Redacted” or “Not available” like Red Sentry here.

Try to find a LinkedIn page for someone in the IT or marketing department, as these employees will often maintain the website. And there could be sensitive information.

How to go back in time using Wayback Machine:

The Wayback Machine is a wonderful tool that allows you to see former versions of a website. It’s pretty cool, right?

In the above picture I searched for Red Sentry.

Last But Not Least: viewdns.info

Depending on your investigation, you might choose this tool right away or reserve it for later. Viewdns.info is a comprehensive service offering detailed information and reports on DNS settings, along with various resources for researching IP addresses and domain names, which can be valuable for different types of scenarios.

How to retrieve someone’s email address by OSINT:

Retrieving someone’s email address may be useful when conducting any kind of OSINT investigation, or during a pentest.

Techniques:

1. Google your target: Do a thorough Google search on your target. Do they have a blog or website attached to their name? Their email address may be in their intro, or on the contact page. Are they on social media? The email address may be part of their bio or intro (on LinkedIn in particular). You can also use google dorks to find it. Search for leaked databases and Excel files with Google Dorking
2. Look if they have a website of their own. If they do try to see if there’s a “contact us” section or maybe “about” section can have their mail.

3. View their page source too. To make things quicker, you can search for “@” in the html code, and see if the person left an email address in there.

4. Social engineering can be used too but it requires direct contact between you and the target, or at least someone close to them. That’s why I kept it for the last.

For this to work, you will need to understand who your target is and how to approach them. The more difficult and unreachable your target, the more research you will need to do ahead.

Conclusion:

‍

In this article, I just covered some basic tools and techniques of OSINT. I tried to introduce you to the wonderful world of OSINT, and hopefully, it helped you gain some valuable investigative knowledge along the way. You can use OSINT for your BugBounty hunting, Pentesting or just for having fun.

So, that’s all for today, take care of your mental health and stay hydrated.