There is a multitude of possible starting points when initiating an open source investigation on a person, place, or thing. This is generally called the Discovery Phase, and requires the researcher to compile all known assets in relation to an investigation. These known assets can be a name, an alias, a username, a phone number, email, a web address, or a combination of multiple assets. This article attempts to set out and explain what actually happens post-discovery phase, based on the current known assets. We will attempt to piece together a broader investigation given a single asset, which then allows the open source investigator to obtain a more granular and specific target. This is usually done by eliminating inaccurate or biased information alongside drilling down likely accurate data of the specific person or entity.
OSINT Using a Username or Nickname
Online usernames are often the most available piece of information given in regards to an OSINT investigation. Moreover, I’ve seen it plenty of times ending up as the smoking gun while nearing the end of an investigation.
For example, let’s say we are simply given the username: “osintmanFL”. This username was reported using a popular social media platform- for example Instagram. Getting right to business, the first step is to utilize several search engines to find further information. Google, Bing, and Yandex are what I consider the ‘top three’ search engines for OSINT, each for different reasons. Searching the username in these engines using quotation marks is a good starting point.
As you can see, using quotations, no results came up, however, Google does a good job at parsing quotation searches into ‘Did You Mean’ by spacing out known words and abbreviations.
It is also crucial that you attempt your best at understanding a username and any hints it could give. “osintmanFL” should be obvious if you’re up to date on your American state abbreviation codes. FL, or Florida, is an example of supplemental data that you can extract from a username. Other common extractions from usernames using OSINT I’ve seen often are:
- Area codes (ex: username904)
- Birth dates (ex: username95)
- Unique digits (ex: username09234)
When you are able to extract any form of data from a username, you’re able to refine or broaden your search. For example, the username “osintmanFL” turned up no results, however, “osintman florida” did.
OSINT Using a Web Domain
In a previous article, I went in-depth in OSINT strategies for researching domain names. I would urge you to look over the writeup, which details how to examine historic ownership records, cached domain pages, and intentionally hidden subdomains.
OSINT Using an Email Address
Open source investigation research with just an email address is similar to the username method which we detailed above, but with a few caveats. For example, “[email protected]” is an asset we are given; first, we’d like to see if this email is actually in use. Email validators and data enrichment services are able to see if an email exists, such as EmailHippo tools.emailhippo.com. There is a small chance of false positives with such validators, but it’s safe to assume if you’re having doubts about the existence of an email provided to you, and a validator service also has doubts, it could be safe to assume the email is not active.
As with username data extraction, examine the email and take notes if there are any numbers or letters of interest. For example, “[email protected]” has both the FL state abbreviation code and, after further research, an area code of 904, which is related to Florida.
Additionally, checking different mail providers with the same username can turn up missing data during your initial search research. The more popular mail domains you could search for, using “[email protected]” could be:
OSINT Using a Social Media Profile
I’ve written briefly on SOCMINT, or social media intelligence, which you can find here. SOCMINT is vast and is rapidly changing, and would require a series of articles to keep up with social media intelligence. Regardless, there are a few standardized OSINT methods when given a social media profile to research, regardless of the platform.
Username Extraction From Profile
This should seem obvious- for example- “facebook.com/osint.manFL”. Given this social media profile, the very first data point is to extract the appended username and perform a general username lookup of “osint.manFL”. The username of a social media profile is generally always public no matter what the user’s privacy setting is.
Improper or Misconfigured Privacy Settings
Depending on the social platform, the privacy settings could vary greatly. A user could have near-absolute privacy for their Facebook account, yet, the linked Instagram account could have near to none. For the major social networks, there are often three distinct settings: 1. Public to friends only. 2. Public to friends and social media users and 3. Public to everyone. In many cases, I’ve seen option 2 checked, which allows logged-in users to view more content versus a user that isn’t logged in to the social network, regardless if you’re connected or not. That said, it’s good practice to be logged in while looking at a social profile rather than looking from a private window or logged out.
This writeup is the most basic starting point (the Discovery Phase) for an open source investigation. We’ve written many articles detailing each of these possibilities further and will continue to write in detail real-world examples of OSINT in action. Finally, these are the opinions of my colleagues and myself pulling from past professional experience. This is by no means an exhaustive list of the Discovery Phase, and we urge any readers with questions to comment or email our team if you are in need of further explanation on a specific topic or strategy.