WeavingWords

Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!

The Cyber Mentor · 2026-05-22 ·▶ Watch on YouTube ·via captions ·8 min read
Tech ToolsProductivityCreativitySocial Issues
TL;DR

A methodology-first introduction to OSINT covering the full collection phase of the intelligence life cycle — from sock puppets and search engine operators through breach data, username tracking, people search, and social media investigation. Core message: tools break and websites disappear, but the investigative methodology endures. ---

Key Concepts

OSINT (Open Source Intelligence)
tap to reveal ↩
gathering publicly available information on people, organizations, or topics using systematic methods
Intelligence Life Cycle
tap to reveal ↩
Planning → Collection → Processing → Analysis/Production → Dissemination; iterative, not strictly linear
Sock Puppet
tap to reveal ↩
a fake online persona used to conduct research without revealing the investigator's identity
Exif Data
tap to reveal ↩
metadata embedded in image files that can include GPS coordinates, device type, and timestamp
Credential Stuffing
tap to reveal ↩
using breached username/password pairs to attempt logins on other services
Password Spraying
tap to reveal ↩
testing one common password against many accounts
Graph Searching
tap to reveal ↩
(largely deprecated) Facebook's former ability to search relationships between users and content
Geofencing/Geocode search
tap to reveal ↩
filtering social media posts by GPS coordinates and radius
OPSEC (Operational Security)
tap to reveal ↩
practices that prevent an investigator from being identified or alerting the subject

Notes

§Ethical and Legal Disclaimer

  • All techniques should only be used with explicit permission or on yourself
  • OSINT can be weaponized; treat it as a dual-use capability
  • Methodology matters more than any specific tool — sites go down, methods persist

§Intelligence Life Cycle

  • Planning & Direction: define who/what/when/where/why
  • Collection: bulk of this course; systematic data gathering
  • Processing: interpreting raw data
  • Analysis & Production: connecting data points, building a narrative
  • Dissemination: presenting findings to the client or authority
  • The cycle is non-linear — expect to loop back repeatedly

§Note-Taking Tools

  • KeepNote: older but functional; hierarchical tree structure; Windows/Linux/Mac
  • CherryTree: effectively the updated KeepNote
  • Notion: cloud-based, shareable, good template support
  • Obsidian / Joplin: well-regarded alternatives
  • OneNote: solid if already in the Microsoft ecosystem
  • Greenshot (Windows) / Flameshot (Linux/Mac): screenshot tools with annotation and obfuscation features
  • Recommended workflow: screenshot + annotate → paste directly into notebook

§Sock Puppets

  • Purpose: conduct investigations without attribution back to the real investigator
  • Two types: fully-built believable persona vs. a known-fake-but-respected pseudonymous account
  • Key creation steps:
  • Generate a fake identity at fakepersonname.com or similar
  • Generate a synthetic AI face at thispersondoesnotexist.com (not reversible by image search)
  • Use Privacy.com virtual credit cards to avoid financial attribution
  • Acquire a burner phone + Mint Mobile SIM for phone verification; immediately migrate verification to Google Voice, then discard SIM
  • Use a dedicated device never logged into personal accounts
  • Use a VPN matched to the persona's claimed location, or a mobile hotspot
  • Critical failure mode: logging into a sock Facebook account from a personal phone — it immediately syncs contacts and exposes connections
  • Build account history before using it for investigation

§Search Engine OSINT

  • Preferred engine: Google; Bing and DuckDuckGo produce noisier results for people searches; Yandex preferred for image searching
  • Core operators (work across most engines):
  • "exact phrase" — forces exact match
  • site:domain.com — restrict to a specific domain
  • -word — exclude a term
  • filetype:pdf / filetype:xlsx — filter by file format
  • intitle:word — word must appear in page title
  • inurl:word — word must appear in URL
  • intext:word — word must appear in body text
  • * — wildcard for unknown terms
  • AND / OR — boolean logic
  • Useful compound queries:
  • password filetype:xlsx site:target.com — hunt for exposed credentials
  • site:target.com -www — enumerate subdomains
  • "target name" -unwanted_term — exclude noise
  • Google Advanced Search (google.com/advanced_search): GUI version of all operators; also includes language, region, time range, and file-format filters
  • Time filter: Tools → time range; useful for finding recent activity
  • Cached results: accessible via Google; can reveal deleted content

§Image OSINT

  • Use multiple engines — each indexes differently:
  • Google Images (images.google.com): best for finding exact matches
  • Yandex Images: best for finding similar images and alternate photos of the same person; useful for missing persons
  • TinEye (tineye.com): can surface pages that don't appear in Google
  • Drag-and-drop or upload the image directly
  • Practical use: verify if a profile photo is stolen (catfishing, fake sock accounts)
  • Tool: Jeffrey's Image Metadata Viewer (exif.regex.info)
  • Key fields to extract: GPS latitude/longitude, device make/model, date/time taken
  • GPS coordinates → paste into Google Maps → exact location
  • Modern platforms (Twitter, Facebook, Instagram) strip Exif on upload; photos sent directly (e.g., in fraud cases) often retain it
  • Still operationally relevant as of course recording
  • Google Maps satellite view: assess building layout, parking, access points, guard positions, employee behavior
  • Street View: identify badge readers, door locations, dress codes, smoking areas (common social engineering entry points)
  • Drone reconnaissance complements satellite imagery for current state
  • For investigations: identify road access, remoteness, and discretion of approach routes
  • Look for: license plate format, steering wheel side, road markings, architecture, language on signs, vegetation, weather clues
  • Resource: long-form GeoGuessr strategy blog (linked in course) covering road markings by country, sign styles, driving-side conventions
  • Tool: GeoGuessr (one free play/day; free 2D map version available) — practice identifying locations from visual cues

§Email OSINT

  • Hunter.io: identifies email format for a domain (e.g., [email protected]); lists known addresses; ~100 free searches/month
  • Phonebook.cz: bulk email lookup by domain; good for harvesting large lists
  • Clearbit Connect (Chrome extension): searches by company + role; reveals format and LinkedIn; ~100 free searches/month
  • Voila Norbert: similar to Hunter
  • Workflow: Google the target person/role → confirm name → use Hunter/Phonebook to identify format → guess address → verify
  • Email Hippo (tools.verifyemailaddress.io): returns good/bad/unknown
  • Email Checker (emailchecker.net): similar validation
  • Caveat: false positives exist; use as corroborating signal, not definitive proof
  • Entering an email on a login page and clicking "Forgot Password" can reveal:
  • Whether the account exists (page advances vs. rejects)
  • A partially masked recovery email or phone number
  • Risk: triggers a notification to the account owner — use only on test/sock accounts, never on a live investigation subject

§Password / Breach Credential OSINT

  • Goal: find breached credentials tied to a target; identify password patterns; link accounts across services
  • Think of it as "red yarn" — each data point connects to others
  • Patterns to look for: repeated passwords, slight variations (e.g., Summer2020!Summer2021!), shared hashes linking two accounts
  • HaveIBeenPwned (haveibeenpwned.com): free; shows which breaches an email appeared in; no passwords revealed; supports domain monitoring alerts
  • Dehashed (dehashed.com): paid (~$5/week, ~$150/year); most comprehensive; search by email, username, IP, name, address, phone, hash; returns plaintext or hashed passwords
  • Scylla.sh: free, partial database; searchable by email, domain, password; good for quick checks
  • WeLeakInfo / LeakCheck / Snusbase: paid alternatives to Dehashed
  • Hashes.org: attempt to reverse (crack) a hash to plaintext

§Username OSINT

  • Namecheckr.com, Knowem.com, Namecheckup.com: scan dozens of platforms simultaneously; show where a username is taken vs. available
  • Treat "taken" as "account exists there" — verify manually
  • Export results to CSV/PDF for documentation
  • Many apps reveal user existence (or full name) on login attempt or slow-type search (e.g., Snapchat's autocomplete)
  • Kik (kik.me/username): often shows display name and profile picture — can be reverse-image-searched
  • Snapchat: login attempt reveals "cannot find user" vs. valid account
  • Don't overlook adult platforms if the investigation warrants it
  • Comment and post history can inadvertently disclose location, employer, education, habits
  • Even anonymous accounts leak identity through accumulated detail
  • Search Reddit via Google: "target term" site:reddit.com
  • Sort by new/hot/top to find time-relevant posts

§People Search OSINT (US-Focused)

  • Whitepages.com / TruePeopleSearch.com: best free people-search engines; provide name, address, age, relatives, phone
  • FastPeopleSearch, FastBackgroundChecks, Spokeo, 411.com, PeopleFinder, That'sThem: similar; results vary
  • WebMii: aggregates web mentions, images, social profiles for a person
  • Caveats: some data is outdated or wrong; verify any finding before relying on it
  • All support reverse phone and reverse address lookup
  • VoterRecords.com: searches public voter data for states that publish it
  • Returns: registered address, party, race, gender, county, registration date, active/inactive status
  • Highly reliable for current or recent address of a registered voter

§Phone Number OSINT

  • Start with Google: search the number with and without hyphens; try quoted strings; try spelled-out digits (used to evade bots on Craigslist-style posts)
  • Whitepages.com reverse phone: often more accurate than Google alone
  • TrueCaller (truecaller.com): crowd-sourced caller ID; reveals name if stored in another user's contacts; log in with a throwaway account — it uploads your contacts
  • CallerID Test: quick name lookup; 5 free searches/day; clear cache/use incognito to extend
  • Infobel.com: international phone lookup by country
  • Forgot-password technique: enter phone on account recovery to get partial email confirmation (bidirectional linking)

§Birth Date OSINT

  • People-search engines often include age/birth year
  • Google search: "target name" birthday or intext:birthday site:twitter.com
  • Look for birthday congratulation tweets/posts addressed to the target
  • Facebook and LinkedIn sometimes display birthdays publicly by default — check and remove your own if unwanted

§Resume / Professional Profile OSINT

  • Search: "target name" resume filetype:pdf or filetype:doc
  • Check site:docs.google.com, site:drive.google.com, site:scribd.com
  • LinkedIn via Google: "target name" site:linkedin.com
  • Resumes can disclose: current employer, address, phone, email, certifications, timeline of employment

§Social Media OSINT

  • Search operators:
  • from:username — all tweets by a user
  • to:username — tweets sent to a user
  • @username — mentions of a user
  • "exact phrase" — phrase search
  • since:YYYY-MM-DD until:YYYY-MM-DD — date range
  • geocode:lat,lng,radius — tweets from a geographic area (e.g., geocode:34.05,-118.24,10km)
  • Advanced Search: twitter.com/search-advanced — GUI for all operators
  • TweetDeck: real-time multi-column monitoring; combine search operators in columns; track users, hashtags, geolocations simultaneously
  • Analytics tools:
  • SocialBearing.com: sentiment, hashtag history, tweet sources (reveals OS/apps used), top interactions
  • TwimExplore / Twitonomy: similar analytics, interaction maps
  • MentionMapp: visual graph of interactions and hashtags
  • TweetBeaver: convert username↔ID (ID persists through username changes); download tweet history; find conversations between two users
  • Spoonbill.io: tracks all profile changes over time (bio, name, pinned tweet, website)
  • Sleeping Time: infers sleep schedule from tweet timing
  • TinfoLeak: leak/analytics report; shows apps used, hashtags, mentions
  • Graph search largely deprecated; cat-and-mouse game with Facebook's privacy updates
  • Profile URL: facebook.com/username — right-click page source, Ctrl+F user_id to find numeric ID (persists through username changes)
  • Search: People → filter by education, workplace, city to narrow results
  • Search photos of [person] to find tagged photos not on their own profile — reveals associates and historical locations
  • IntelX.io and Sowdust search tools: Facebook-specific search interfaces using entity ID
  • Look at: About, Photos, Check-ins, Friends, Likes, Recommendations given/received
  • instagram.com/username for public profiles
  • Right-click profile picture → open in new tab → full-size for reverse image search
  • InstaDp.com (instadp.com/profile/username): download full-size profile picture
  • ImgInn.com (imginn.com/username): browse and download posts
  • Find numeric user ID for tracking through username changes
  • Use site:instagram.com "target name" in Google to find cached or cross-referenced content
  • Username enumeration via login attempt
  • Snap Map (map.snapchat.com): publicly posted Snaps plotted on a live map; filter by location to find content from a specific area
  • Post and comment history is the primary intelligence source
  • Search within a user's profile for location, employer, hobby, and personal detail slips
  • Best accessed via Google with site:reddit.com
  • Contact Info section may expose phone, email, birth date
  • Activity tab shows recent posts even on otherwise restricted profiles
  • Company page reveals team members, headcount, office location
  • Connections list (if visible) maps professional relationships
  • Recommendations show direct working relationships (named and described)
  • LinkedIn Lion (LION) open networkers: connect to expand your network reach; don't mass-request unknowns or risk account restriction
  • Public videos and profile accessible at tiktok.com/@username
  • Profile picture: right-click → open in new tab → reverse image search
  • Historical data from Musically era (predecessor app) may still surface via Google cache
  • Likes and following lists may be visible; use as relationship mapping

Actionable Takeaways

  1. Adopt a note-taking system before starting any OSINT work — choose one tool (CherryTree, Notion, etc.) and use it consistently with screenshots and source citations
  2. Search yourself first — use every technique in this course on your own name, email, phone, and usernames to understand your exposure before investigating others
  3. Create a sock puppet — even a basic one, following the persona-generation
↓ Down the rabbit hole
1ManStartup · Tech Tools · Productivity
How to Get Your First 100 Users For A New App

The creator shares how he got his first ~100 users each from Hacker News and Product Hunt. Both platforms are framed primarily as…

Read next →