Online Databases

• Pipl (preferred), Spokeo (preferred), Instant Checkmate, Truth Finder, Black Book Online, ThatsThem, Intellius, Peekyou, Advanced Check, Rootsweb, Snitch.name, John Doe, MelissaData, Radaris, UserSearch, FastPeople, Webmii, Zaba Search, PeopleFinder, ZoomInfo, etc.
• More tools can be found here: https://inteltechniques.com/menu.html and https://github.com/jivoi/awesome-osint#-people-investigations
• These online databases have a monthly cost.
• There are often additional fees for history records or pdf report generation

Search engines (this list is not all encompassing):

• Google and Google Dorking techniques (see Google Dorking for more information)
• Internet Archive/ Wayback Machine
• AOL Search
• Ask
• Baidu
• Bing
• DuckDuckGo
• Yahoo
• Yandex

Public Records

• Birth and Death Records
• Marriage and Divorce Records
• Criminal Records
• Bankruptcy Records and lien information
• Some Military Records
  • Example Military search online tool: https://www.fold3.com/
• Voting Rolls
• Newspaper Records
  • Many news tools here: https://github.com/jivoi/awesome-osint#-news
• Some states also include: unemployment claims, campaign contributions, licenses and certifications, tax information, real estate transactions and deeds, census records, etc.

OSINT Tools (this list is not all encompassing, and all APIs need to be added prior):

• Recon-ng modules for individuals (“add profiles” and “add contacts” or use the “import” feature prior to running the following modules)
  • Have I Been Pwned hibp_breach and hibp_paste credential modules
  • FullContact module
  • Profiler module
  • Linkedin_auth module (Bing LinkedIn cache)
  • Adobe module
  • Bozocrack module
  • Hashes_org module
  • Pgp_search module
  • Dev_diver module
  • Namechk module
  • Mailtester module
  • Geocode and Reverse geocode modules
  • Pushpins modules
  • Jigsaw and pwnlist modules (APIs need to be purchased beforehand)
  • Many other recon-ng modules such as the Shodan and Twitter modules can help add to this list as well
• Maltego
• DataSploit python script (https://github.com/DataSploit/datasploit)
• Belati python script (https://github.com/aancw/Belati)
• Many other tools and scrapers can be found here: https://github.com/jivoi/awesome-osint#-people-investigations and https://inteltechniques.com/osint/menu.user.html

• Major Social Media websites (list is not all encompassing):

  • Classmates, Facebook, Flickr, Google+, Hi5, Instagram, Kik, LinkedIn, Meetup, Pinterest, Reddit, Snapchat, Swarm, Tumblr, Twitter, YouTube, etc.

  Scraping to obtain social media profiles associated with individual:

  • Recon-ng modules for finding social media accounts
    • Profiler module
    • Namechk module
    • Locations-pushpin modules
    • Twitter_mentioned and Twitter_mentions modules
  • DataSploit python script (https://github.com/DataSploit/datasploit)
  • Maltego
  • Knowem.com
  • CheckUsernames.com
  • Google Dorking (see Google Dorking for more information)
  • Many other tools and scrapers can be found here: https://github.com/jivoi/awesome-osint#-people-investigations and https://inteltechniques.com/osint/menu.user.html

Online Dating:

• eHarmony, Match.com, Zoosk, Tinder, OKCupid, etc.

Online Gaming:

• Miiverse, Playstation Network, Xbox Live, Twitch, Youtube, etc.

Communities:

• Google Groups, Yahoo Groups, Nextdoor, Alumni Groups, Meetups, etc.

Specific Interests:

• Reverbnation, Sportstats, DeviantArt, Nike Running Club, etc.

Blogs & Reviews:

• Blogger, Wordpress, Blogsearchengine, Notey, Yelp Reviews, Amazon Reviews, Google Reviews, etc.

Online Classifieds:

• Amazon, Craigslist, Ebay, Geebo, Oodle, etc.

Family Tree:

• Familysearch.org, Ancestry.com, Familytreenow.com, Genealogybank.com, etc.

Online Chat Communities:

• HipChat, Slack, Skype, WhatsApp, Discord, IRC, etc.

Scraping Tools for Geolocation Data:

• Recon-ng modules for geolocation searches:
  • Geocode and Reverse_geocode modules
  • Pushpin modules (Flickr, Picasa, Shodan, Twitter, Youtube)
• Cree.py python script (https://github.com/ilektrojohn/creepy)
• Google Maps APRS
• Echosec
• Social Bearing
• Shodan.io
  • geo: filter can be used with latitude and longitude coordinates that correlate with target individual’s physical address (results may vary in densely populated areas)

Pastebin Scrapers and Credential Dumps:

• Dumpmon (https://github.com/jordan-wright/dumpmon)
• CheckMyDump (https://twitter.com/checkmydump?lang=en)
• Custom Pastebins Tool includes 57 Paste Sites (https://inteltechniques.com/osint/menu.pastebins.html)
• PasteLert (https://andrewmohawk.com/pasteLert/)
• Recon-ng
  • hibp_breach and hibp_paste credential module
  • adobe module
  • bozocrack module
  • hashes_org module
  • additional purchase required for pwnedlist modules
• Various Torrent search engines contain breached credential dumps

Dark Web Tools/Techniques:

• Ichidan (ichidanv34wrx7m7.onion)
• DeepDotWeb
• Reddit Deep Web
• Reddit DarkNetMarkets
• Dark Net Stats
• OnionScan
• Tor Scan
• Onioff
• Hunchly Hidden Services Report
• Docker-onion-nmap
• Onion Investigator
• Onion Cab
• Hidden Wiki
• Core.onion
• Other Dark Web sites and tools can be found here: https://osintframework.com/ and https://tomokodiscovery.com/free-tools-osint-socmint-dark-web-darknet-tor-bitcoin/
• Various Torrent search engines contain a lot of breached data for download as well

Optional Sanity Checklist (Identified Personnel)

Install preferred OSINT tools and add necessary APIs within each tool

Perform at least one online database search for target individual’s name, username, and phone number.  Preferred online databases include Spokeo and Pipl, but a monthly fee is required (refer to Web Searches for list of other options)

Gather public record information for the target individual.  Some of these can be obtained quickly via the previous step but an additional fee is required.  Note that all public records can also be found for free via web searches using Google Dorking techniques or manual search engine digging as well (refer to Web Searches)

Use an automated recon tool to scrape information on target individual.  Preferred tool is Recon-ng and Maltego (refer to Automated Reconnaissance Scraping Tools for other options)

Create a list of social media accounts maintained by target individual and note their relationships, publicly listed interests, and privacy settings (refer to Social Media / Networking)

Gather overall online presence using obtained user interests as a guide (refer to Further Interests) and combine with username website scraping tools as well for quick validation (refer to Social Media / Networking)

Use geolocation tools and techniques to scrape target’s social media posts and pictures to obtain list of physical locations that target individual frequents (such as home address, local coffee shops, travel/ vacation spots, etc.)  This geolocation data can also be cross-referenced with Shodan.io to find potential IOT devices that belong to the user for further adversary exploitation (refer to Geolocation Searching)

Scrape pastebins and online dumps, and monitor the Dark Web for interesting released individual information and credentials (refer to Dark Web and Breached Credentials)