Posted on January 2nd, 2018
It has been a busy month in regards to online search (OSINT) techniques. I have updated almost all of my online search tools and discovered several third-party options that have recently surfaced. Many of these were announced by others on my Forum and in the Slack Channel. All OSINT links and tools can be found on my TOOLS page.
IntelTechniques Communities Search Tool (https://inteltechniques.com/osint/communities.html): I created this new tool out of necessity. I am finding that many of my targets have a presence within online communities such as Reddit, Voat, 4Chan, Meetup, Topix, and others. This tool creates custom URL searches that are superior to the standard searching within a site’s search menu. These tools allow you to specify whether your target is a real name, email address, username, or domain name in order to isolate the appropriate results. While there are already dozens of options here, I anticipate this tool to grow quickly. Today, I added the 300gb+ Reddit archive API by Pushshift.
IntelTechniques Email Search Tool (https://inteltechniques.com/osint/email.search.html): I removed a few dormant search queries and replaced them with better options, including Email Hunter, Reverse Mails, and a few others. This tool now queries 19 services with a single search.
IntelTechniques Person Search Tool (https://inteltechniques.com/osint/person.html): I completely re-wrote this tool in order to incorporate some of the newest people search options, re-order the priority of the searches, and allow a quick execution of all search options. Specifically, I added Fast People Search, Advanced Background Checks, and a few others. This tool now queries 24 services with a single search.
IntelTechniques Reverse Image Search Tool (https://inteltechniques.com/osint/reverse.image.html): I updated the Baidu reverse image search. They changed the URL submission address, but all five image search options should be working now.
IntelTechniques Telephone Search Tool (https://inteltechniques.com/osint/telephone.html): I removed a few dormant search queries and replaced them with better options, including True People Search, Fast People Search, Advanced Background Checks, and a few others. This tool now queries 18 services with a single search.
Free Carrier Lookup (http://freecarrierlookup.com): This is one of three options I have found useful for identifying cellular providers of a target telephone number. The benefit with this service (and the others mentioned below) is that they will usually identify a VOIP provider. If you are researching an internet-based number, you will often find the service listed here, such as Google Voice, Twilio, etc. These have been much more helpful than the traditional sites that only say “VOIP Number”.
Text Magic Carrier (https://www.textmagic.com/free-tools/carrier-lookup): Similar to Free Carrier Lookup, this service identifies providers of landline, cellular, and internet telephone numbers.
Carrier Lookup (https://www.carrierlookup.com): Similar to Free Carrier Lookup, this service identifies providers of landline, cellular, and internet telephone numbers.
US Phonebook (https://www.usphonebook.com): This is yet another telephone search service, but I have found unique results here on occasion.
Fast People Search (https://www.fastpeoplesearch.com): This database appears to possess identical results as the True People Search option, with one huge caveat. Those that removed their search results from one site may still be exposed on the other.
John Doe (https://johndoe.com): This appears to be the same company as the previous option, but again, opt-outs from one service do not carry over to others.
Find-a-Grave (https://www.findagrave.com): This database is one of the most complete archive of grave locations, searchable by name. This can be used to help verify a death or locate a city of interest in relation to your target’s deceased relatives.
Reverse Mails (http://reversemails.com): Most of my individual email searches on this site have been unproductive. However, searching a target domain name has been extremely successful. You will likely locate full names, addresses, and telephone numbers associated with your target email addresses and websites.
Whoxy (https://www.whoxy.com/reverse-whois): This service searches an email address or real name and attempts to find any current or previous domain registration associated with the target. These sites are nothing new, but additional sources of this data can reveal traces that others have missed.
Hunter (https://hunter.io/email-verifier): This is now my favorite email address verification service. It checks formatting, notifies you if the address looks “risky”, verifies whether it is a disposable service, checks the mail records, and provides an overall indication if an address is real or fake.
TCPIPUtils (https://www.tcpiputils.com): This is yet another domain search tool. Most of the data here is redundant with other utilities.
DNS Trails (https://dnstrails.com): This is another Domain/IP search tool, but with much more benefit. When an email address, name, or physical address is associated with a domain, a cross-search identifies other websites of interest. There are other sites that also do this, but these options appear to dig a lot deeper.
URL Scan (https://urlscan.io): Similar to the previous two options, but this service also includes any historic screen captures, which could identify removed content.
Zoom Eye (https://www.zoomeye.org): This appears to be a clone of Shodan. However, I did locate unique data not available elsewhere. This is another search engine for online devices (not websites). In other words, this is where you go creep on people that did not disable guest access to their web cams…
My Geo Position (http://mygeoposition.com): This is a very thorough tool for converting coordinates, addresses, altitude, etc. There are no personal details on this site, but could be useful for verification of cited data located from other searches.
FakeSpot (https://www.fakespot.com): I don’t know how this helps in investigations, but it is interesting. Supply a URL to a product on amazon, and it attempts to identify the fake reviews, as well as provide an overall indication of the amount of robot-inserted reviews of products. It also displays reviews that appear identical to other products and isolates suspect user names that appear to be fake.
Better Tweet Deck (https://github.com/eramdam/BetterTweetDeck): This is not a website, but a browser extension. If you use TweetDeck for your live Twitter investigations, this software enables many enhanced features. My favorites are the ability to customize the format of dates, customize the format of names in tweets, and remove the t.co redirection on links.
Investigative Dashboard (https://data.occrp.org): This search engine provides access to almost 100 million data leaks such as property data and sensitive documents. A search of my own name revealed a handful of PDF documents which cited my work. I had never seen these before from traditional searching.
Vehicle Registration Queries: I have found the following websites will identify the make, model, year, engine and style when providing a license plate and state:
Note that the last two options will also provide the VIN of the vehicle, which can then be searched at the following:
https://www.carfax.com/processQuickVin.cfx (Provides Vehicle Data)
http://vin.place/searchVIN.php (Provides Name, Address, Vehicle)
https://www.vindecoderz.com (Provides Mileage)
https://www.checkthatvin.com (Confirms Vehicle Data)
https://www.nicb.org (Checks Theft Reports)
https://www.searchquarry.com/vehicle_records (Vehicle Make, Model, & Year)