Top OSINT Techniques

OSINT (open-source intelligence) is a process of data collection from all possible resources that have open access. There are thousands of such resources, and accordingly, there are dozens of techniques intended for their study.

If we consider "technique" as any possible way and mechanism used by many OSINT tools, then we can find hundreds of them. For example, we can search by keywords, hashtags, parts of code, username, phone number, etc. However, if we look at the fundamental differences in approaches, they can be grouped into three main techniques. We will consider them below with examples.

Collecting and analyzing public data contributing to hacking or provocations

This technique is most often used by companies, although individuals can also apply it to protect their reputations. In essence, a person should find all available public information and evaluate whether it can be used to hack company websites or reveal provocative details about a person.

For example, WHOIS gives data about the addresses, names, and phone numbers that a company used to register a domain. In combination with or DomainIQ services, which provide information about the IP, WHOIS can tell a lot about the owner of a particular website. search results

Even without such specialized information, open-source searches can help hackers steal someone's profile. For example, if a stalker wants to access a person's page, they only need to know answers to code questions to recover the password. For instance, they can find your mom's maiden name and pet's name in old social media posts.

For this reason, this technique is used to find potentially security-threatening information and remove it.

Searching for information outside the company to find security breaches

Although, at first glance, this technique is similar to the previous one, it has one significant difference. In this case, the OSINT specialist is looking for information that has become publicly available due to a security breach. Sometimes, such data can be found on the surface of the Internet. 

For instance, a person might find his or her photos that are intended only for one person and were in private messages. Their placement in public resources means that either іsomeone hacked into the account, or the person to whom the pictures were sent leaked them to the Internet. In both cases, this situation shows a data security problem.

Very often, OSINT specialists also have to know the tools to scan the deep and dark web. For example, an investigator can use Tor (The Onion Router) software to break into the dark web and find leaked databases of a company. This OSINT technique shows that the company's website protection system has breaches that need to be eliminated.

An example of selling a leaked database on the dark web

A threat hunting and using a threat intelligence platform (TIP) or tools

This technique is a logical continuation of the previous one. Specialists must track how information leaked into the public domain and why it happened. For example, in one case, the problem may be in the software, which left a loophole for hackers. In another case, the reason may be much simpler: an employee accidentally or deliberately leaked sensitive information.

Moreover, this technique can be used to identify the problem separately. Usually, investigators use tools that require specialized technical knowledge to use threat intelligence platform or tools. For example, Wireshark analyzes and supports the decryption of hundreds of protocols, and Nmap software checks ports. For many of us, this information means nothing. However, IT professionals can see security weaknesses and fix them.

Analysis results provided by Wireshark

Analysis and comparison of data

This technique should stand out separately since, in fact, it is not an approach but an obligatory part of any research. Almost any investigation requires that the data obtained be analyzed, grouped, and compared to draw a conclusion. This process may even be necessary to find such information as the name of a mobile phone number’s owner if it is tied to different social network profiles or addresses. What do we even say about more complex investigations of connections between people and companies? For this reason, this technique can be called fundamental and be put in a separate category.

Moreover, approaches to using this technique may also differ depending on the case and the investigator. In some situations, the connection can only be discovered by applying logic and attention to detail. In other cases, different computer programs have more options to build connections.

For example, the Maltego service can organize information into tables and charts, as well as build links between different websites, people, and companies. In this way, the investigator can find the necessary connection, which is difficult to grasp due to a large amount of information, using computer algorithms.

A chart of connections built by Maltego


All these techniques can be used for OSINT investigation and are self-contained. For some purposes, one of these techniques can be sufficient, but other cases require consistent use of all of them. The main thing is to analyze and compare data by using tools or just rational thinking.


📌 For everyone who really wants to learn OSINT, we recommend OSINT training courses from Molfar:

▪️ Basic: for personal study and receiving a knowledge base + all the necessary tools for work.

▪️ Advanced: for scaling processes, gathering a team and learning HUMINT.


Contact us