Introduction
Open Source Intelligence (OSINT) is the art of finding truth in public data. No exploits. No social engineering. Just observation, correlation, and patience.
This writeup covers my methodology for tracing digital footprints across public platforms — the foundational skill of any OSINT investigation.
Note: All examples use fictional personas. Never use these techniques to stalk, harass, or dox real individuals.
The Methodology
Step 1: Seed Data
Every investigation starts with a seed — a single piece of information:
- A username
- An email address
- A phone number
- A profile photo
- A domain name
One data point is all you need to start pulling the thread.
Step 2: Username Enumeration
A single username can unlock dozens of profiles. People reuse handles across platforms out of convenience.
Tools:
- Sherlock — Checks 300+ sites for username existence
- WhatsMyName — Similar but with different site coverage
- Namechk — Domain and social media availability
sherlock target_username --print-found
What to look for:
- Matching bios across platforms
- Consistent profile photos
- Cross-linked accounts
- Creation dates (account age = commitment to the handle)
Step 3: Email Correlation
Email addresses are identity anchors. They connect registrations, data breaches, and professional profiles.
Techniques:
- Have I Been Pwned — Check if the email appeared in data breaches (reveals what services they use)
- Google dorking —
"[email protected]"in quotes to find public mentions - GitHub commits — Email addresses in git commit history are often overlooked
- Domain WHOIS — Historical WHOIS records may contain registration emails
site:github.com "[email protected]"
"[email protected]" filetype:pdf
Step 4: Metadata Analysis
Every file contains metadata. Photos, documents, PDFs — they all leak information.
Photo EXIF data:
- GPS coordinates (if location services were enabled)
- Camera model (narrows down device)
- Timestamps (activity patterns)
- Software used for editing
exiftool target_photo.jpg
Document metadata:
- Author name
- Organization
- Software version
- Revision history
- Printer names (yes, really)
exiftool target_document.pdf
Step 5: Social Graph Mapping
People don't exist in isolation. Their connections reveal as much as their own profiles.
What to map:
- Followers/following overlap across platforms
- Tagged photos and mentions
- Group memberships
- Shared content and reposts
- Comment interactions
Tools like Maltego visualize these connections, but a simple spreadsheet works for smaller investigations.
Step 6: Timeline Construction
Once you have data points, arrange them chronologically:
2020-03 — Username first appears on GitHub
2020-07 — Same username registers on Twitter
2021-01 — Email found in breach dataset (LinkedIn breach)
2021-03 — Blog post reveals workplace
2022-06 — Conference talk (name + face + employer confirmed)
2023-01 — New domain registered (WHOIS matches email)
A timeline reveals patterns: career changes, relocations, interest shifts, and operational security improvements (or lack thereof).
Operational Security Lessons
If you're doing OSINT on yourself (and you should):
- Audit your usernames. Search yourself with Sherlock. You'll be surprised.
- Check breach databases. HIBP is free. Know what's exposed.
- Strip metadata. Before uploading photos or documents anywhere.
- Compartmentalize identities. Different handles for different contexts.
- Monitor your footprint. Set up Google Alerts for your name, email, and handles.
The Ethics Line
OSINT is powerful. It can find missing persons, expose fraud, and support journalism. It can also be weaponized for stalking, harassment, and doxing.
The rule is simple: Use it to protect. Use it to inform. Never use it to harm.
If your investigation wouldn't hold up to ethical scrutiny, stop. The void has boundaries.
— Void