Open Source Intelligence (OSINT) isn't just for government agencies anymore. Whether you're a journalist verifying sources, a cybersecurity professional hunting threats, or just someone who wants to understand their own digital footprint β these tools are your starting point.
Here's a no-fluff breakdown of tools that actually work.
π People Search & Social Media
1. Sherlock
Find usernames across 400+ social networks simultaneously.
python3 sherlock username
Best for: Mapping someone's social media presence across platforms.
GitHub: github.com/sherlock-project/sherlock
2. Maigret
Sherlock's more powerful cousin β checks 3000+ sites and builds detailed reports.
maigret username --all-sites
Best for: Deep username investigations when Sherlock isn't enough.
3. WhatsMyName
Web-based username enumeration with constant community updates.
Best for: Quick browser-based searches without installing tools.
π§ Email Intelligence
4. Hunter.io
Find email patterns for any company. Type a domain, get the email format.
Best for: B2B research, finding professional contacts.
5. Have I Been Pwned
Check if an email appeared in data breaches.
Best for: Assessing account security, finding associated accounts.
6. Epieos
Reverse email lookup β finds connected Google accounts, social profiles, and more.
Best for: Mapping the accounts tied to a single email address.
π± Phone Number OSINT
7. PhoneInfoga
Open-source phone number scanner. Gets carrier info, line type, and attempts social media correlation.
Best for: Initial phone number reconnaissance.
8. Truecaller (with caution)
Massive crowdsourced caller ID database.
Best for: Identifying unknown numbers β but remember, your number is probably in there too.
π Domain & Infrastructure
9. Shodan
The search engine for internet-connected devices. Find exposed servers, webcams, databases.
Best for: Infrastructure mapping, finding exposed assets.
10. Censys
Similar to Shodan but with better certificate transparency data.
Best for: SSL/TLS certificate investigations, finding subdomains.
11. SecurityTrails
Historical DNS data. See what a domain pointed to years ago.
Best for: Tracking infrastructure changes over time.
πΊοΈ Geolocation & Images
12. Google Lens / TinEye
Reverse image search to find where an image originated or was reposted.
Best for: Verifying image authenticity, finding original sources.
13. ExifTool
Extract metadata from images β including GPS coordinates if they weren't stripped.
exiftool image.jpg
Best for: Finding location data embedded in photos.
14. GeoGuessr Skills + Google Earth
Manual geolocation using visual clues. Road signs, architecture, vegetation, sun position.
Best for: Locating photos/videos when metadata isn't available.
π Data Aggregators
15. IntelX (Intelligence X)
Search engine for darknet content, paste sites, and leaked data.
Best for: Finding leaked credentials, documents, historical data.
β οΈ A Note on Ethics
OSINT is powerful. With power comes responsibility.
- Don't stalk people. Seriously.
- Verify before you accuse. Correlation isn't proof.
- Know your local laws. Some techniques may cross legal lines depending on jurisdiction.
- Protect yourself. Use VPNs, separate browsers, and don't let your OSINT trail lead back to you.
π Want to Go Deeper?
We're building a community of OSINT practitioners, cybersecurity researchers, and privacy enthusiasts. No gatekeeping, just skills.
Join CloudSINT Discord: https://discord.gg/8WP5VwSS
Tools, techniques, and real investigations. See you inside.
This guide is part of an ongoing series. Follow for more OSINT breakdowns.
Top comments (0)