About this video

• Video Title: Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!
• Channel: The Cyber Mentor
• Speakers: Heath Adams
• Duration: 04:29:56

Overview

This video provides a comprehensive introduction to Open-Source Intelligence (OSINT) fundamentals, covering various techniques and tools for gathering publicly available information. The instructor, Heath Adams, guides viewers through topics such as creating sock puppet accounts, utilizing search engine operators, performing reverse image searches, extracting EXIF data, identifying geographical locations, and gathering information from social media platforms like Twitter, Facebook, Instagram, Snapchat, Reddit, and LinkedIn. The course emphasizes ethical use of OSINT and methodological approaches over specific tools.

Key takeaways

• OSINT Fundamentals: The video introduces the core concepts of OSINT, explaining its purpose and application in gathering publicly available information.
• Methodology Over Tools: The emphasis is placed on understanding the underlying methods and processes of OSINT, as tools can change but methodologies remain consistent.
• Ethical Considerations: A strong disclaimer highlights the importance of using OSINT techniques ethically and responsibly, with a warning against malicious intent.
• Practical Techniques: The course covers a wide range of practical OSINT techniques, including search engine optimization, reverse image searching, EXIF data analysis, geolocation identification, and social media profiling.
• Social Media OSINT: Specific modules are dedicated to gathering intelligence from various social media platforms, detailing how to extract information from each.
• Sock Puppets: The importance and creation of "sock puppet" accounts are explained as a method for maintaining anonymity during investigations.
• Information Gathering: Techniques for finding email addresses, phone numbers, birthdates, resumes, and even password breach information are demonstrated.
• Geographical Location OSINT: Methods for identifying geographical locations from images and analyzing satellite imagery are discussed.

The five stages of the intelligence lifecycle are:

1. Planning and Direction: Identifying the "who, what, when, where, why" of an investigation.
2. Collection: Gathering information through various methodologies.
3. Processing and Exploitation: Interpreting and organizing gathered data.
4. Analysis and Production: Analyzing data points and forming conclusions.
5. Dissemination: Presenting the findings to the client or customer.

This OSINT course primarily focuses on the Collection phase.

A "sock puppet" account, which is an online identity that is not your own or a misrepresentation of who you are, can help an investigator by allowing them to conduct research or investigate others without drawing attention back to themselves. The primary goal is to remain undetected by the subject of the investigation.

Key considerations when creating a sock puppet account include:

• Anonymity: The account should never tie back to your personal IP address or devices linked to your personal information.
• Legitimacy: The account should look legitimate, which means creating content, posting on the platform, and establishing some history to appear more real. This includes having social media presences like Twitter or Gmail accounts, and potentially connections on platforms like Facebook.
• Separation from Personal Identity: Avoid using devices, phone numbers, or online services that can be directly linked back to your real identity.
• OpSec (Operational Security): While the course introduces advanced operational security measures like using burner phones or specific VPNs, it emphasizes practicing the basics of creating a persona without necessarily investing in these advanced measures for the course itself. The goal is to create a believable, yet separate, online identity.

The video discusses several methods and tools for OSINT, which can be categorized as follows:

1. Search Engine OSINT:

• Basic Searching: Utilizing search engines like Google, DuckDuckGo, Bing, Yandex, and Baidu to find information.
• Search Operators: Using specific operators to refine searches:
  • site:: To search within a specific website (e.g., site:reddit.com).
  • filetype:: To search for specific file types (e.g., filetype:pdf, filetype:docx, filetype:xlsx).
  • intext:: To find pages where a specific term appears in the body text.
  • inurl:: To find pages where a specific term appears in the URL.
  • intitle:: To find pages where a specific term appears in the title.
  • Wildcards (*): To substitute for unknown words in a search query.
  • Quotes (""): To search for an exact phrase.
• Google Advanced Search: A user-friendly interface to apply various search operators, including date ranges, languages, regions, and file types.
• Search Engine Comparison: Recognizing that different search engines yield different results (e.g., Google's effectiveness for personal searches vs. Yandex's for image searching).

2. Image and Location OSINT:

• Reverse Image Searching: Using tools like Google Images, Yandex Images, and TinEye to find the origin or similar instances of an image. Yandex is noted for its ability to find variations of an image, which can be useful for tracking down people.
• EXIF Data Viewing: Utilizing tools like exif.regex.info (Jeffrey's Image Metadata Viewer) to extract metadata from images, which can include the device used, date/time taken, and crucially, GPS coordinates (latitude and longitude) indicating the exact location where the photo was taken.
• Geolocation Identification: Analyzing visual cues within an image (e.g., architecture, street signs, landmarks, vehicle placement on the road, presence of snow, vegetation, language on signs) to deduce the geographical location. The game "Geo Guesser" is recommended for practice.

3. Email OSINT:

• Hunter.io: A tool to find email addresses associated with a domain and identify email patterns (e.g., first initial last name).
• Phonebook.cz: Another resource for finding email addresses, domains, and URLs.
• Clearbit Connect: A Chrome extension that helps discover email addresses and company information, often providing LinkedIn profiles and other data points.
• Voila Norbert: Similar to Hunter.io, used for finding email addresses.
• Have I Been Pwned (HIBP): While primarily for checking breach data, HIBP can indirectly help verify email addresses by showing if they have appeared in known data breaches.
• Email Verification Tools: Websites like emailhippo.com or validate-email-address.com can be used to check if an email address is valid without directly interacting with the owner.
• Forgot Password Feature: Using the "forgot password" or account recovery process on websites (like Google or Yahoo) to potentially reveal partial email addresses or phone numbers associated with an account.
• Infobel: A directory that can be used to search for phone numbers and contact information in various countries.
• Truecaller: An app that uses crowd-sourced data to identify phone numbers, which can reveal names and associated information, but requires caution due to its contact-uploading nature.
• Search Operators with Email: Combining search operators (like site:, intext:) with email-related terms on search engines.

4. Password OSINT:

• DeHashed.com: A website that allows searching for leaked credentials (usernames, emails, passwords, hashes) from various data breaches.
• Breach Databases: Utilizing databases like those found on DeHashed, Have I Been Pwned, or other leak sites to find historical credentials.
• Pattern Recognition: Identifying patterns in leaked passwords or usernames that might suggest reuse or predictable structures (e.g., sequential numbers, common words, slight variations).
• Hash Analysis: Taking leaked password hashes and attempting to crack them or see if they appear in known cracked hash databases (e.g., hashes.org).

5. Hunting Usernames and Accounts:

• Namecheckup.com / Namecheck.com: Websites that allow users to enter a username and check its availability across numerous social media platforms and websites, revealing where a username is active.
• Social Media Enumeration: Directly searching platforms like Kick, Snapchat, or TikTok using potential usernames to see if accounts exist or if profiles reveal associated information (like names, images, or other linked accounts).
• Profile Analysis: Examining user profiles for clues like images (which can be reverse image searched), listed connections, followers, or any associated public information.
• Username ID Conversion: Tools like Tweet Beaver can convert usernames to user IDs and vice-versa, which is useful if a username changes but the ID remains constant.
• Web Archives & Caches: Using tools or search engine caches to find potentially deleted information or past versions of profiles.

6. People Searching:

• WhitePages.com / TruePeopleSearch.com: Primarily US-based databases that allow searching for individuals by name, address, phone number, or associated relatives, potentially revealing current and past addresses, age ranges, and associates.
• Google Searching: Using Google with specific search operators and combinations of names, locations, and keywords (like "birthday," "resume") to find publicly available personal information.
• Specialized Search Engines: Utilizing sites like FastPeopleSearch, Webmii, PeekYou, PeopleLooker, etc., which aggregate public records.
• IP Address Lookups: Entering IP addresses into search engines or specialized tools to potentially find associated locations or user information.
• Voter Records: Checking public voter registration records (e.g., via voterecords.com) in states where this information is publicly accessible to find names, addresses, and political affiliations.

7. Social Media OSINT (General):

• Twitter:
  • Basic Search: Searching by keywords, hashtags, user handles (from:, to:, @username), and exact phrases.
  • Advanced Search: Using date ranges (since:, until:) and combinations of search terms to narrow down results.
  • Profile Analysis: Examining tweets, replies, mentions, photos/videos, likes, followers, and people the user follows.
  • TweetDeck: A tool for organizing Twitter feeds into customizable columns, allowing real-time monitoring of specific users, keywords, hashtags, geolocation data, and interactions.
  • Analytics Tools: Websites like SocialBearing.com and TwinKnown.com provide analytics on user activity, sentiment, engagement, and sources of tweets.
  • Spoonbill.io: Tracks changes to Twitter profiles over time, revealing historical usernames, bios, pinned tweets, and banner images.
  • Tinfoolexport: A tool to search for leaked data associated with Twitter accounts.
  • Geolocation Search: Using geo-coordinates with search operators to find tweets posted within a specific radius.
• Facebook:
  • Basic Search: Searching for people, posts, photos, videos, marketplace items, groups, etc.
  • Filtering: Refining searches by location, education, work history, and relationships.
  • "Photos of X" Search: Searching for photos tagged with a person's name, which can reveal images not directly posted by the user.
  • Profile Analysis: Examining posts, check-ins, likes, photos, videos, and connections. Tools like SODAS on GitHub can assist in searching public posts by user ID, keyword, and date.
• Instagram:
  • Basic Search: Searching for users by name or username.
  • Profile Analysis: Examining photos, videos, tagged posts, followers, and following lists.
  • Image Downloading: Tools like instadp.com or imagein.com allow downloading full-size images from profiles, which can then be used for reverse image searches.
  • User ID: Finding a user's unique ID, which can be useful if their username changes.
• Snapchat:
  • Username Enumeration: Using the username search feature or slow typing to find existing accounts.
  • Snapchat Map: Accessing map.snapchat.com (or the in-app feature) to see publicly shared Snaps in specific locations, potentially revealing activity or user presence.
• Reddit:
  • Direct Reddit Search: Using Reddit's internal search function to find posts or comments related to a username, keyword, or phrase.
  • Google Search with site:reddit.com: Combining Google search operators with Reddit to find more specific or historical information.
  • Post and Comment History: Analyzing a user's comment and post history can reveal detailed personal information, opinions, location clues, and even unintended disclosures.
• LinkedIn:
  • Profile Analysis: Extracting information on work experience, education, skills, endorsements, recommendations, publications, projects, interests, connections, and contact details.
  • Network Analysis: Examining connections to identify potential associates and expand the investigation.
  • Activity Feed: Reviewing recent posts and interactions.
  • Banned/Shadow-Banned Users: Being aware that aggressive connection requests can lead to account restrictions.
  • User ID: Similar to Twitter, finding a user's unique ID can help track them if their public profile changes.

8. Website OSINT:

• Subdomain Enumeration: Using search operators (-www) or specialized tools to discover subdomains of a target website.
• Company Information: Searching for company details, including contact information, employee directories, and sensitive documents that might be accidentally exposed.
• Finding Sensitive Documents: Using filetype: operators combined with keywords like "password," "credentials," or "confidential" to find exposed documents.

The overarching principle is to combine these methods, cross-reference information, and use critical thinking to piece together a comprehensive profile of a target.### About this video

• Video Title: Open-Source Intelligence (OSINT) in 5 Hours - Full Course - Learn OSINT!
• Channel: The Cyber Mentor
• Speakers: Heath Adams
• Duration: 04:29:56

Overview

This video provides a comprehensive introduction to Open-Source Intelligence (OSINT) fundamentals, covering various techniques and tools for gathering publicly available information. The instructor, Heath Adams, guides viewers through topics such as creating sock puppet accounts, utilizing search engine operators, performing reverse image searches, extracting EXIF data, identifying geographical locations, and gathering information from social media platforms like Twitter, Facebook, Instagram, Snapchat, Reddit, and LinkedIn. The course emphasizes ethical use of OSINT and methodological approaches over specific tools.

Key takeaways

• OSINT Fundamentals: The video introduces the core concepts of OSINT, explaining its purpose and application in gathering publicly available information.
• Methodology Over Tools: The emphasis is placed on understanding the underlying methods and processes of OSINT, as tools can change but methodologies remain consistent.
• Ethical Considerations: A strong disclaimer highlights the importance of using OSINT techniques ethically and responsibly, with a warning against malicious intent.
• Practical Techniques: The course covers a wide range of practical OSINT techniques, including search engine optimization, reverse image searching, EXIF data analysis, geolocation identification, and social media profiling.
• Social Media OSINT: Specific modules are dedicated to gathering intelligence from various social media platforms, detailing how to extract information from each.
• Sock Puppets: The importance and creation of "sock puppet" accounts are explained as a method for maintaining anonymity during investigations.
• Information Gathering: Techniques for finding email addresses, phone numbers, birthdates, resumes, and even password breach information are demonstrated.
• Geographical Location OSINT: Methods for identifying geographical locations from images and analyzing satellite imagery are discussed.

Ask Me Anything About This Video

1. What are the five stages of the intelligence lifecycle, and which stage does this OSINT course primarily focus on?
2. How can a "sock puppet" account help an investigator, and what are the key considerations when creating one?
3. What are some of the common search operators that can be used in search engines like Google for OSINT, and how can they be combined with other search parameters like file types or specific websites?
4. What is EXIF data, and how can it be useful in an OSINT investigation?
5. Turn this video into a tweet...