- disclaimer
- Suggestions
- Why
- OSINT/OPSEC Tools
- key points
- OPSEC
- Open Source Intelligence (OSINT)
- Who uses Open-Source Intelligence (OSINT)?
- Sources of OSINT
- Digital Profiling
- closed sourced
- IMINT
- Real world examples of OSINT
- Tools
- People search tools (in the states)
- Grey literature
- Breached Data
- Social Media
- Self OSINT
- Curated lists
I am not responsible for any misuse, abuse, or unethical actions taken with the tools or methods listed here. OSINT is a neutral technique—anyone can use it, and anyone can be targeted.
Note: Some domains (e.g., exposed.lol
) may be expired. Refer to the curated list or alternate links provided.
Open an issue for any suggestions or feedback.
People trust the internet too much. In today’s world, online and offline are practically the same—truth and fiction blur. This README exists to raise awareness. Clone it, fork it, remix it, or even turn it into a Rentry page. Spread the knowledge however you like.
Can you predict someone’s behavior with this? not exactly; people are unpredictable at times.
A list of OSINT/OPSEC tools I made, forked, and/or use. First, let's talk about the definitions.
- School Bomb Threats
- Florida student caught after bragging, repeating offenses, leaving evidence, and confessing.
- Harvard’s Eldo Kim identified for using Tor on school network as the only user and admitting guilt.
- Silk Road Case
- Ross Ulbricht linked to Silk Road by using his real name/email, posting about Tor, and failing to hide server IPs.
- LulzSec Hacking Group
- Members exposed themselves by discussing ops in public IRC, revealing personal info, using stolen cards to home addresses, and trusting informants.
- General Bad OPSEC Practices
- Poor compartmentalization, leaking sensitive info, predictable naming, traceable work hours, and unsecured servers.
- Mullvad VPN: Security Contrast
- Features: anonymous accounts, strong encryption, no-logs, lockdown mode, DNS blockers, open-source, accepts Monero/cash.
- Caution: No tool is foolproof; human error remains the weakest link.
- Understand the Basics
- Digital profiling gathers and analyzes online data; behavioral analysis infers motives, habits, and future actions.
- Collect Digital Biographical Information
- Gather identifiers, track online activity, search for recurring usernames, document findings.
- Analyze Behavioral Patterns
- Look for posting times, topics, language, interaction style, preferred platforms, and social networks.
- Examples
- Use AI tools to analyze old posts for recurring interests; tools like Blackbird/Maigret help track usernames across platforms.
- Assess Competencies and Affinities
- Evaluate technical skill, privacy awareness, sociability, and domain expertise.
- Use Analytical Tools
- Employ search engines, data aggregators, visualization/statistics tools and Natural Language Processing (NLPs) for deeper analysis.
- Iterate and Refine
- Continuously update the profile as new data emerges; use structured documentation.
- Ethical and Legal Considerations
- Only use legally accessible data; respect privacy and avoid harassment.
- Defending Against OSINT Profiling
- Practice good OPSEC, use misinformation, audit yourself, and set profiles to private.
- Criminals
- Sony Pictures Hack (2014): Used OSINT on staff and infrastructure for phishing and breach.
- Ashley Madison Breach (2015): Used OSINT to leak sensitive user data, causing blackmail and public exposure.
- Civilians
- Identifying Russian Soldiers: Used facial recognition and open-source images to ID participants in conflicts.
- BBC Cameroon Investigation: Used metadata and geolocation to verify military abuses.
- Law Enforcement
- Tracking Stolen Property: Monitored online marketplaces to recover stolen goods.
- ShadowDragon’s SocialNet: Mapped social networks from 200+ sources to aid investigations.
- OPSEC Failures
- Guccifer 2.0: Forgot to activate VPN, exposing real IP and identity.
- Silk Road’s Ross Ulbricht: Used personal email and left digital traces, leading to arrest.
These guides collectively highlight the importance of strong operational security, the power and risks of OSINT, and the need for continuous vigilance and ethical conduct in information gathering and online behavior.
- Identifying
- Protecting and controlling critical information
It's a security discipline and operations function that involves a continuous cycle of:
- Identifying critical information and indicators (CII)
- Critical information and indicators are essential components of Operations Security aimed at protecting sensitive data that could be exploited by adversaries. Critical Information includes unclassified or controlled unclassified information about activities, intentions, capabilities, or limitations that adversaries can use to gain an advantage. Indicators are observable actions or pieces of information that reveal critical details about operations, such as sudden changes in procedures or increased security measures. Protecting this information involves identifying vulnerabilities and implementing countermeasures to prevent unauthorized disclosure
- Analyzing potential threats and vulnerabilities
- Assessing risks
- Developing countermeasures to protect CII
is used to protect information and activities from adversaries. It helps identify and protect sensitive information that could give an adversary an advantage. OPSEC principles can be applied in daily life, such as not sharing personal information like a DOB, street address, email, phone number.
Examples of OPSEC mistakes include:
-
Over-sharing personal information online
-
Leaving unused social media online
-
interacting with a target on social media
- w0rmer
- darknetdiaries(article)
OPSEC supplements other security disciplines rather than replacing them.
- Use services that can conceal your identity:
Category | Tool/Technique | Description | Pros | Cons/Limitations |
---|---|---|---|---|
Encrypted Messaging | Telegram | Cloud-based messaging with optional E2E ("Secret Chats") | Widely adopted, feature-rich | Not E2E by default; stores data on servers; requires phone number |
Simplex | No user identifiers (not even random numbers) | Maximum metadata privacy | Less user-friendly; smaller network | |
Signal | E2E encrypted by default; minimal metadata retention | Gold standard for privacy; court-resistant | Requires phone number | |
Anonymity Networks | Tor | Routes traffic through encrypted nodes to hide IP | Free; robust against tracking | Slow; frequent CAPTCHAs |
Mullvad VPN | No-logs VPN accepting Monero (XMR) payments | Strong privacy; anonymous payment options | VPNs can’t fix poor OPSEC habits | |
Cryptocurrency | Monero (XMR) | Untraceable cryptocurrency | Private transactions | Requires mining/local node for full anonymity + time |
Identity Management | Unique Usernames | Use different credentials per site | Prevents correlation attacks | Hard to manage without a password manager |
Word Spinners | Paraphrase text to avoid detection | Evades plagiarism/identity linking | May sound unnatural | |
AI-Generated Faces | Fake profile pictures (e.g., ThisPersonDoesNotExist.com) | Hides real identity | May look unnatural | |
Self-OSINT | Opt-Out Guides | Remove personal data from people-search sites | Reduces digital footprint | Time-consuming; not all sites honor requests without payment |
OPSEC Resources | Bad OPSEC Examples | List of pitfalls | Learn from others’ mistakes | N/A |
Good OPSEC Practices | Guidelines | Actionable tips | Requires discipline | |
Tool Lists | OPSEC Tools | Curated list | Comprehensive resource | May need updates |
-
Messaging:
-
Signal OR Simplex > Telegram for privacy.
-
Remember: E2E ≠ total anonymity (metadata leaks/habits matter).
-
-
Anonymity:
- Tor + Mullvad VPN + XMR = layered protection.
- Avoid logging into personal accounts while using these tools.
- Pitfalls: you need to use TOR and Mullvad separately for maximum Anonymity, use a Virtual Machine for VPN's and TOR on another (or the host).
-
Identity:
- Unique usernames + AI faces + word spinning = harder to trace.
-
Self-Audit:
- Regularly opt out of data brokers and OSINT yourself.
-
OPSEC Mindset:
- Follow good OPSEC and avoid bad habits.
Note:
By TOR I mean Tor Browser, VPN as in Virtual Private Network, and by Virtual Private Network I mean by Virtual Private Network Service - IE: Mullvad (though it can be other types of VPN's out there as long as it's safe to use and vetted by privacy experts). XMR is Monero Coin or Monero for short, a Privacy Coin.
Check Wikipedia If you're confused on all of these here:
- VPN (What we don't use here)
- VPN service (What we're gonna use here)
- TOR (What should be used separately)
- XMR (For VPN's that take XMR as payment)
- Monero Mining: Run a local node to avoid centralized exchanges tracing purchases.
For full tool details, see the OPSEC Tools List.
A smoke screen operation in the context of OSINT (Open Source Intelligence) refers to deliberate actions taken to obscure, mislead, or mask the true activities, intentions, or identities of individuals or organizations from those conducting open-source intelligence gathering. The term is borrowed from military tactics, where a smoke screen is used to conceal movements or positions from enemy observation. In cyber and intelligence contexts, the concept is adapted to digital and informational environments. You may read more here.
-
OSINT is the practice of collecting and analyzing information from public sources to address specific intelligence needs. OSINT is used by government agencies and commercial organizations for various purposes, including:
- Reconnaissance
- Cyber crime investigations
- Market trend analysis
- Brand positioning analysis
- Measuring risk to an organization
- Understanding the actor, tactics, and targets
- Gather real-time information
- Make informed decisions
- Receive early warnings of potential threats
-
National Security and Intelligence Agencies, Law Enforcement, Businesses, Cybersecurity and Cyber-crime Groups, Privacy-Conscious People, Non-Governmental Organizations
- The CIA, Defense Intelligence Agency (DIA), and Office of the Director of National Intelligence (ODNI) all use OSINT.
- OSINT can protect citizens (private or otherwise) from identity theft, sexual violence, and abuse.
- OSINT can monitor competitors, investigate new markets, and plan marketing activities.
- OSINT can gather intelligence about specific targets online.
- OSINT can check how outsiders can break into their computing devices.
- OSINT can be used on oneself to secure privacy.
- Bellingcat, the Center for Information Resilience, and Oryx use OSINT.
- And you! Yes, you can use OSINT.
OSINT can gather information from various sources, including:
-
- Public data refers to all information made freely available by government bodies or local collectivities. This data is in the public domain. It is different to open data, which is a subset of public data. Open data is structured and well-maintained data that is therefore easier to understand, access and consume. By contrast public data can be difficult to find, or (in the case of public bodies), require the submission of a Freedom of Information Act to retrieve it.
-
Professional and academic publications
- Academic Publication means the publication of an abstract, article or paper in a journal or electronic repository, or its presentation at a conference or seminar.
-
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products offered by, the VS Business or L Brands Business, as applicable.
-
Commercial Data means any and all data and information relating to an identified or identifiable Person (whether the information is accurate or not), alone or in combination with other information, which Person is or was an actual or prospective customer of, or consumer of products or services offered by, the LoyaltyOne Business and/or ADS Business, as applicable.
-
Commercial Data means any and all data collected or otherwise processed by the Seller Entities relating to a customer of the Business.
-
-
-
Grey literature is "Information produced on all levels of government, academics, business and industry in electronic and print formats not controlled by commercial publishing i.e. where publishing is not the primary activity of the producing body."
-
Grey literature can be useful for your research, but finding resources requires different tactics than you'd use for commercially published materials. This is because many types of grey literature are not indexed in some of the more common research tools like PubMed, CINAHL, Scopus, etc.
-
-
people search aggregators, typically used in the united states. can give you information on someone such as an email, home address, date of birth, etc.
-
Google Dorks:
Operator | Description | Example |
---|---|---|
site: |
Search within a specific website or domain | site:example.com |
intitle: |
Find pages with specific words in the title | intitle:"login page" |
allintitle: |
All words must appear in the title | allintitle:admin login |
inurl: |
Words in the URL | inurl:admin |
allinurl: |
All terms in the URL | allinurl:dashboard admin |
filetype: or ext: |
Search for specific file types | filetype:pdf or ext:xls |
intext: |
Word or phrase in the page body | intext:"confidential" |
allintext: |
All terms in the body text | allintext:password username |
link: |
Pages linking to a specified URL | link:example.com |
define: |
Look up a word definition | define:opsec |
related: |
Find sites similar to a URL | related:example.com |
* |
Wildcard – matches any word | "admin * login" |
OR |
Either search term can appear | login OR signin |
AND |
Both terms must appear (default behavior) | username AND password |
- |
Exclude term | login -facebook |
" |
Exact phrase | "confidential file" |
Default Behavior
- Google treats multiple words as if connected by AND, so results must contain all terms unless you specify otherwise.
- Quotation marks, site:, and filetype: are among the most commonly used explicit operators for more targeted searches.
These operators are not used unless you include them in your query—Google’s default is simply to return results matching all your search terms, ranked by relevance.
In the year 2016, a basket weaving image board used OSINT to pay some supposed terrorist a visit from a govt in Russia resulting in airstrikes.
-
- In 2016, during the complex Syrian Civil War, various rebel groups—some with good intentions and others with nefarious motives—sought to overthrow President Assad. The chaos allowed terrorist groups to flourish, prompting intervention from the United States and Russia, with the former supporting rebels and the latter aiding Assad. An anonymous user on 4chan's Syria General board (SG) claimed that a Syrian rebel group, Jaysh al-Izza, posted a video on YouTube revealing their secret encampment. The group, linked to Al-Qaeda, was seen by 4chan users as a target. A notable 4chan user, Ivan Sirenko, who had connections with the Russian military, received the coordinates from the 4chan community and tweeted them to the Russian Ministry of Defense. This led to an airstrike on the encampment. Two months later, the same rebel group posted another video showing a new training camp. 4chan users once again pinpointed the location using landmarks seen in the video. After thorough verification, they sent the coordinates to Ivan, who facilitated another Russian airstrike.
UPDATE: Turns out it was a really complex war the 4chan got involved in, still keeping this up as a key example however; the main issue is that they exposed their training locations with geographic locations to the internet like complete morons. Thus bad opsec.
In 2017, Shia LaBeouf had a protest due to Trumps election; this resulted in a basket weaving image board using OSINT and sky patterns to figure out where a flag is.
- In 2017, 4chan users managed to track down and replace Shia LaBeouf's "He Will Not Divide Us" protest flag. Using only the live-stream footage of the flag, they analyzed flight patterns, star positions, and a tweet to locate the flag in Greeneville, Tennessee. A local troll then honked his car horn until the sound was picked up on the live-stream, pinpointing the exact location. The flag was replaced with a Trump hat, marking the end of this elaborate trolling operation.
Digital profiling and behavioral analysis are powerful techniques for understanding individuals based on their online activities and digital footprints. While these methods are often used by professionals, you can apply many of the same principles and processes yourself by following a structured approach.
Read more inside this readme on Digital Profiling
HUMINT can be collected overtly (e.g., interviews, debriefings, diplomatic reporting) or covertly (e.g., espionage, clandestine surveillance).
Buying from databrokers can be closed sourced if the info isn't freely available IF not cross referenced VIA the Curated Lists OR the Toolchain for self OSINT
And remember, closed sourced info can change depending on context. If it came from social media then it's considered open source as it's already out there. If it's from a closed source document like let's say a USB drive then consider it closed source.
IMINT(Image INTelligence) involves collecting and analyzing visual imagery—satellite, aerial, drone, or ground photos—to extract useful information. Contains information such as SOCMINT and Reverse Search.
Category | Tool | Link | Functionality | Limitations/Notes |
---|---|---|---|---|
Search Engine Queries | dorksearch | dorksearch | Advanced Google dorking for targeted searches | AI Doesn't work, have to build manually & internet access. |
Google-FU | GitHub | Advanced Google dorking for targeted searches | Rate limits apply; may trigger CAPTCHAs | |
gdork | gist | Written in shell script, Gnu Linux | In dev; not sure If I'll finish this. | |
Biometric Analysis | Facecheck.ID | GitHub | Reverse image search bypassing paywalls | Requires Tampermonkey; extracts source links only |
Username/Email Search | Blackbird | GitHub | Fast cross-platform username/email lookup | CLI-only; lightweight |
Crow (GUI for Blackbird) | GitHub | GUI version of Blackbird | Same functionality as CLI | |
Sherlock | GitHub | Comprehensive username search across 300+ sites | False positives (e.g., Imgur); CLI-based | |
No-Shit-Sherlock (GUI) | GitHub | GUI wrapper for Sherlock | Inherits Sherlock’s limitations | |
Maigret | GitHub | Finds username connections (Sherlock fork) | Focuses on profile linkages | |
Maigret-Night (GUI) | GitHub | GUI for Maigret | Same as Maigret CLI | |
Holehe | GitHub | Checks email usage across sites | Imgur false positives; CLI-based | |
Email Compromises | Hudson Rock Extractor | GitHub | Manual email breach checker (Flask-based) | Not automated; requires manual input |
Geolocation | Google Maps | maps.google.com | Pinpoint locations/compare landmarks | Public data only; no advanced OSINT features |
geohints | geohints | a curated list that contains the most accurate and detailed information about metas in Geoguessr as possible. | used for Geoguessr, but can be used to give clues in where an image is located. | |
GeoGuessr GPT | GeoGuessr GPT | Use AI to pinpoint a photo | Can give out false info; it's AI so it will hallucinate! Only 3 uploads for free users. | |
findpiclocation | findpiclocation | Use AI to pinpoint a photo | May not be as accurate as GPT. | |
Generalized OSINT | OSINT Rocks | osint.rocks | Multi-tool: Hudson Rock, Holehe, GHunt (Gmail), phone/domain/username lookups | Web-based; combines multiple tools in one interface |
MISC CLI tools | zabasearch-auto | GitHub | A CLI tool to look up public info on someone in the USA | CLI, advanced usage |
link extractor and archive | GitHub | An archive tool for archive.ph, can extract links from a basic webpage | CLI, advanced usage; basic webpages only, Requires manual intervention (text edits FIND+REPLACE). | |
voter reg status | GitHub | A CLI tool that looks up voter info on an person | Only in PA, Needs county, zip, first last name, DOB. Advanced usage. Census data may be out of date. |
-
False Positives:
- Sherlock/Holehe: Imgur often returns misleading results—verify manually.
- Facecheck.ID: Extracts links but doesn’t analyze images; cross-reference with Pimeyes (10 searches) or others listed on 6.
-
GUI vs. CLI:
- CLI Tools (Blackbird, Sherlock, Maigret): requires technical familiarity.
- GUI Wrappers (Crow, No-Shit-Sherlock): Easier for beginners; same backend logic.
-
Email Investigations:
- Combine Holehe (account detection) + Hudson Rock Extractor (breach data) for thorough checks; see Toolchain Recommendations.
- For Gmail-specific OSINT, use GHunt (via OSINT Rocks).
-
Geolocation:
- Use Google Maps Street View to verify addresses/landmarks from other tools (e.g., ClustrMaps).
-
OPSEC Notes:
- Rate Limits: Tools like Google-FU may trigger blocks—use proxies/VPNs.
- Legality: Avoid scraping private data (e.g., Facebook pro) without consent.
-
Biometric Analysis: You can supplement your biometric analytics with these tools by extracting the results from:
- faceonlive.com (3 or 4 search limit, may need TOR)
- lenso.ai
After that open image in new tab and save or drag it into facecheck.id and compare (as mentioned earlier on step 1)
- Quick Username Search: Crow (GUI for indepth) → Maigret (GUI for indepth) → Sherlock (CLI for depth).
- Email Breaches: Have I Been Pwned → Pentester (freeish) → OSINT Rocks (Hudson Rock/Holehe) → LOLArchiver.
- Images: Facecheck.ID → Pimeyes → lenso.ai → faceonlive
- Files: Encrypted drives (LUKS) → veracrypt → keepassxc
Note on Pentester: Pentester can provide free results on usernames, etc but on a time limit, not worth to buy a service if you're smart and keep records (snapshot).
Note: For keepassxc it's a good idea to use a strong password or a YubiKey (hardware password/security key) you may also create an additional database, one that has the password you can remember; the other that has the generated database password for sensitive files.
For niche tools, refer to the Curated Lists section.
Pipeline discussed here
DISCLAIMER: Most of the email info found on these sites appear to be from a databrech from long ago; subjects on these sites can and possibly will still use their email found on these sites as people will rarely change email providers due to TFA + password managers unless if the email itself has been compromised in any way, shape, or form OR if they've changed emails due to harassment, spam, etc etc.
Tool | Lookup By | Returns | Notes |
---|---|---|---|
FastPeopleSearch | Name, Phone, Address | Age, Address, Phone, Email | Free; data may be outdated. |
That's Them | Name, Email, IP, VIN, Phone | IP, Addresses, Phone, Email | Aggregates data from Intelius/Spokeo; some paid results. |
Nuwber | Name, Phone, Email, Address | DOB, Address, Email, Phone | Detailed reports may require payment. |
IDCrawl | Name, Username, Phone, Email | Names, Usernames, Phone, Email | Focuses on usernames/social media. |
PeekYou | Name, Username, State | Age, Social Media, Emails, Addresses | Strong for social media profiling. |
Webmii | First + Last Name | Social Media, Search Results | Lightweight; scans public web/social profiles. |
PublicRecords | Name, Address, State | Name, Address, Partial Phone | Free directory; redirects to Intelius for paid details. |
ClustrMaps | Name, Address | Addresses, Residents, Property, IP Data | Focuses on geolocation/demographics; may include ownership history. |
fastbackgroundcheck | Name, Address, Phone Number | Name, Address, Phone Number, Emails | Seems to comb though billions of records as stated on it's website |
zbase | first, last name, city state | Names, Possible Relatives, User IDs, Address, Phone Number, Emails, education, job history | comes from various sources, as stated on it's faq, free partial look up and is accurate* |
- Free vs. Paid: Most tools offer basic info for free but upsell detailed reports (e.g., PublicRecords → Intelius).
- Data Sources: Many pull from the same breaches/public records (emails/phones often outdated but still in use).
- Specializations:
- Social Media: PeekYou, IDCrawl.
- Geolocation: ClustrMaps.
- Comprehensive: FastPeopleSearch, Nuwber, fastbackgroundcheck.
Disclaimer: Accuracy varies; users rarely update emails unless compromised. Use ethically!
- For additonal tools see Curated lists
Use this site; do not register, check a voter registration. Will probably need more info in some states; while others need less.
An automtic tool that I've made for pa voter services. Feel free to fork for other states.
Tool | Lookup By | Returns | Limitations/Costs | Notes |
---|---|---|---|---|
Have I Been Pwned | Email, Phone | Breach names, dates, compromised data | Free; no passwords/raw data | Trusted source; alerts for new breaches. |
BreachDirectory | Email, Username | Partial password hashes (SHA-1, first 4 chars), length | Free; no full passwords | Useful for credential stuffing checks. |
Breach.vip | Email, Username | Minecraft-focused leaks (usernames, IPs) | Free; requires login | Niche for gaming accounts; "memey" but functional. |
LeakPeek | Email, Username | Partial breach snippets (e.g., domains) | 5 free searches; Tor bypass possible | Paid plans for full data; obfuscates results. |
LOLArchiver | Email, Username | Full breach databases (e.g., emails, passwords) | Paid service only | For OSINT professionals; curated high-value leaks. |
Icebreaker | Local breach files | Parses/analyzes large breach datasets | Python/EXE; works best for <1000GB files | Demo script provided; use with caution (e.g., Facebook 533M leak). |
hashes.com | Hash (MD5, SHA-1, etc.) | Decrypted passwords (if hash is cracked) | Free/paid cracking tools | Useful for reversing hashes from breaches. |
pentester.com | Email, Username | Full breach details (more than HIBP) | Free; no Tor needed | Unofficial but extensive; may include sensitive data. |
-
Free vs. Paid:
- Free: HIBP, BreachDirectory, Pentester, Hashes.com.
- Limited Free: LeakPeek (5 searches), Breach.vip (login required).
- Paid: LOLArchiver, LeakPeek plans.
-
Specializations:
- Password Recovery: Hashes.com (decrypt hashes), BreachDirectory (partial hashes).
- Gaming Leaks: Breach.vip (Minecraft).
- Local Analysis: Icebreaker (Python tool for large datasets).
-
Ethical/Legal Notes:
- Many tools provide partial data (e.g., first 4 chars of passwords) to comply with ethics.
- Use Tor with LeakPeek to bypass search limits.
- Avoid misuse: Some tools (e.g., Pentester) may expose sensitive data.
-
For Large Datasets:
- Icebreaker + Facebook 533M (no passwords) for bulk analysis.
- Curated Lists: Check Curated Lists for more niche tools.
- Demo Scripts: Icebreaker includes a demo for testing.
Platform | Tool | URL | Functionality | Limitations/Notes |
---|---|---|---|---|
General | Social Searcher | social-searcher.com | Searches multiple platforms at once | Free tier has limited searches |
Snapchat | Snapchat Map | map.snapchat.com | View public Snapchat location stories | Requires Snapchat account |
Dumpor | dumpor.com | View profiles/stories anonymously | May have rate limits | |
Sotwe | sotwe.com | Anonymous Twitter browsing | No login required | |
Xcancel | xcancel.com | Alternative Twitter viewer | Lightweight interface | |
Nitter | nitter.net | Privacy-focused Twitter front-end | Avoids Twitter tracking | |
Facebook Search | facebook.com/search | Native Facebook search tool | Limited without login | |
WhoPostedWhat | whopostedwhat.com | Search Facebook posts by date/keyword | Requires precise queries, public accounts | |
r00m101.com | r00m101 | Get info from an active or deleted reddit account | Pricing for full scope possibly |
-
Facebook Private Accounts:
- Method 1: Create a fake account (difficult due to Facebook's verification)
- Method 2: Use browser's Inspect Element → Device Simulator (or mobile phone) + direct URL
- Always try logged out or in private mode first
-
LinkedIn Limitations:
- If profiles don't load:
- Wait 1-2 minutes (cookie/IP rotation)
- Create a basic account (avoid looking suspicious)
- HWID/IP tracking may block repeated searches
- If profiles don't load:
-
Twitter Alternatives:
- Use Nitter/Xcancel to avoid rate limits/tracking
- Sotwe work without login
-
Instagram:
- Dumpor bypasses some privacy settings
- Quick Use https://dumpor.io/v/USERNAME replace
USERNAME
with the user you are trying to see - Will not work with private accounts
-
Anonymity: Tools like Nitter/Dumpor avoid platform tracking
-
Mobile Tricks: Simulating mobile devices often works better for restricted content
-
Persistence: Some platforms (LinkedIn/Facebook) require patience or account creation
-
For additonal tools see the Curated Lists section below.
-
Awesome OSINT - a curated list of OSINT tools, blogs, and videos
-
OSINT Framework - a larger list of tools
-
OSINT Resources - Collection of OSINT resources that seems to be more up to date (includes NSFW)
-
A whole reddit wiki from the OSINT community
-
A list of social media, maps, domains, etc also listed in cipher387's OSINT collection.
-
bellingcat toolkit
OPT OUT
-
A whole big ass list to opt out and to compare info.
-
Results about you (google index) - Check what google emails you; actually visit the website and see about doing an opt-out there.
Google dorks: https://www.google.com/search?q= "first+last" "Street Address" "City state" "age"
-> Results about you (google index) -> big ass list -> inteltechniques opt out workbook -> People Search tools
Notice
Results about you (google index) can also be emailed so keep that in mind when comparing info I.E.: Google will find webistes containing your first-last name and address and will ask to remove it from the index. Before applying the removal process on google search be sure to remove info from the website itself that it's hosted on. Google Dorking seems to be a bit quicker and preemptive on removing info about yourself after you visit said sites (if applicable).
Also with doing google dorks the manual way is that you won't get flagged by google itself as a bot.
Additonal tools:
- For additonal tools see the curated-lists above
Donations:
If you find this useful feel free to donate to this monero address:
8BPdcsLtA5iWLNTWvYzUVyTWtQkM62e8r7xqAuwjXTSC4RcoSWqpmtyLsMYvz3QNZtT1rbgPUnmVpMAudhxTn6zkRxUFcZN