OSINT Search Techniques


OSINT (Open Source Intelligence) refers to the collection of data and information by exploiting publicly available resources. It is a valuable tool for digital intelligence and investigation processes, using cyber tools to find strategic information from open sources that are obtained legally and ethically. In this article, we will explore the various techniques and tools used in OSINT search.

What is OSINT?

OSINT has been around since the beginning of time and its origins can be traced back to World War II, where it was primarily used by security agencies. However, with the advent of the Internet in 1983, OSINT has evolved into a powerful tool for gathering information from publicly accessible sources online and offline.

The explosive growth of the Internet has led to a massive volume of valuable digital data being produced constantly. This has made OSINT gathering a necessity for organisations such as government departments, non-government departments, and business corporations. Since OSINT relies on publicly accessible sources, anyone can conduct information gathering using available tools and techniques.

The Value of OSINT in Investigations

OSINT is valuable for investigations due to its less rigorous processing and exploitation processes, as well as its shorter timeline for gathering information compared to other intelligence disciplines like HUMINT, SIGINT, MASINT, and GEOINT.

Everyone leaves digital traces of their information, and OSINT helps in finding and exploiting these traces. There are three main methods of collecting OSINT sources of information: passive, semi-passive, and active. The choice of method depends on the scenario and the depth of data required.

  • Passive: This is the most commonly used method, which targets publicly available resources. It is also known as reconnaissance.
  • Semi-passive: This method involves lightly investigating the target servers without raising any alarms.
  • Active: This method involves direct interaction with the system to gather information.

The OSINT cycle consists of five steps: Planning, Gathering, Analysis, Dissemination, and Feedback. Due to the overwhelming amount of information available, the reconnaissance phase is further divided into five sub-phases:

  1. Source Information: This is the initial phase where potential sources of information are identified and documented for later use.
  2. Data Harvesting: Information is collected from the selected sources and other sources that are discovered during this phase.
  3. Data Processing and Integration: The harvested information is processed to extract actionable intelligence.
  4. Data Analysis: The processed information is analysed using OSINT analysis tools.
  5. Results Delivery: The final stage where the OSINT analysis is completed and the findings are presented to other team members.

OSINT Tools and Techniques

There are numerous OSINT tools available, both free and commercial. In this section, we will focus on some of the most popular tools used in the OSINT search process. These tools help in gathering information and running it through specific tools to discover more about a person or entity.

Google Searching and Dorking

Google is a widely used web search engine that allows users to search for text in publicly accessible documents offered by web servers. Google searching, also known as Google Dorking, involves using advanced search strings within a web browser to find specific information. Common operators used in Google Dorking include “intitle,” “inurl,” “filetype,” “ext,” and “intext.” These operators help in narrowing down search results to find specific information on the web.


WHOIS is a query response protocol used for querying databases that store registered users or assignees of Internet resources such as DNS, IP addresses, and autonomous systems. WHOIS lookup tools allow users to search for domain information and retrieve details about the registrant, registrar, and other relevant information.


Spokeo is a search engine that allows users to confidentially lookup information about people using their name, phone number, address, or email. It provides publicly available information such as public records, criminal records, school records, and more. Similar websites to Spokeo include OSINT Framework, Family Tree Now, Pipl, ThatsThem, US Search, Zabasearch, and Radaris. These websites are useful for checking if any potentially damaging information is publicly available.


DataSploit is a tool found within Kali or BlackArch Linux that is used to collect targeted data on a particular domain, email, username, or phone number. It organises the results coherently in HTML and JSON reports or text files. DataSploit attempts to find credentials, API keys, tokens, subdomains, domain history, legacy portals, and more. Recon-ng and theHarvester are also useful tools built into Kali Linux for OSINT search.


Shodan is a popular OSINT tool specifically designed for searching Internet-connected devices, including ICS, IoT devices, and video game systems. Shodan GUI provides more functionality and allows users to view live camera feeds and visually depict geographically where vulnerabilities are located worldwide. It provides a comprehensive footprint of devices connected online and is a valuable resource for researchers.


Maltego is an OSINT tool developed by Paterva, available in the Community Edition (CE) for free. It is an inbuilt tool in Kali Linux and helps in performing reconnaissance against targets using built-in transforms. Maltego queries DNS records, whois records, search engines, social networks, APIs, and extracts metadata to find correlational relationships between various entities. It can be used to gather information about individuals, companies/organisations, websites, domains, IP addresses, and more.

Other Tools

There are many other OSINT tools available for exploration, such as Automater and Sublist3r. Additionally, there are search engines specifically designed for the Dark Web, such as DeepDotWeb, Hidden Wiki, OnionScan, and Tor Scan, which can provide useful information. The collection of OSINT information is only limited by one’s imagination. Any tool can be customised and used once the basic understanding of OSINT is acquired.


OSINT search techniques are valuable tools for gathering information from publicly accessible sources. The use of OSINT tools and techniques allows investigators to gather information quickly and efficiently. By utilising tools like Google searching, WHOIS lookup, Spokeo, DataSploit, Shodan, and Maltego, investigators can uncover valuable insights and correlations. Continuous learning and exploration of OSINT tools and techniques can enhance one’s ability to safeguard information and conduct effective investigations. Happy learning and exploring OSINT!

This website uses cookies. By continuing to use this site, you accept our use of cookies.  Learn more