A Practical Walkthrough of OSINT: Tools, Techniques, and Real Uses

A Practical Walkthrough of OSINT: From Search Engines to the Dark Web

OSINT (Open Source Intelligence) is all about collecting clues or informations from the internet, things people post publicly, data websites reveal, and sources hidden in plain sight. Organizations use OSINT for investigations, threat hunting, security analysis, and even solving cybercrime. What makes OSINT powerful is that you don’t break into anything; you only use what’s openly available.

OSINT has been a very crucial part of cybersecurity, the very first point of Penetration testing or hacking is information gathering, a very explanatory word for OSINT is information gathering, but you gather this information from what is available online.

There are several process to follow for you to carry-out OSINT, in this article I'd be sharing with you important tips on how to gather information or carry-out OSINT and also ensuring your tracks are covered properly.

Preparing the Environment

Before starting any investigation, you need the right tools and setup, preparing your environment is simply ensuring you protect/prevent your computer from viruses, trojan or malwares that can affect the computer because this can affect the intergrity of your findings.

This usually includes:

1. A privacy-focused browser

2. A VPN or proxy

3. A virtual machine for isolation

4. Basic OSINT tools like search engines, mapping sites, and metadata viewers

Setting up the environment protects you, keeps your searches clean, and helps avoid leaving digital footprints during investigations.

Part of usueful tips is to ensure you activate windows defender, update system and do not use Administrator accounts for information gathering.

OSINT Tools, How to Use Them & Links

1. Database & Web Searches

a. Google Dorking

Link: google.com
How to use:
Use advanced search operators to reveal hidden information.
Example:

site:facebook.com "Abdullahi" "Kano"
filetype:pdf "confidential"

This helps you find public PDF files, accounts, and pages that normal searches won’t show.

---

b. Rocketreach – Enumeration

Link: rocketreach.co

What it does:

1. Finds emails

2. Finds phone numbers

3. Finds social profiles

4. Works for companies and individuals

How to use it:

Go to rocketreach.co
Type a name, company, or domain

Export or copy the contact details for your OSINT investigation.

Example:

Search:

John Doe Microsoft

---

c. Whois Domain Lookup

Link: whois.domaintools.com
How to use:
Enter any website → get information like domain owner, registrar, emails, phone numbers (if not hidden).

d. ViewDNS.info — A Multi-Purpose OSINT Tool

Link: viewdns.info

What it is:
ViewDNS.info is an all-in-one online toolkit that lets you look up a domain, IP address, DNS information, and even the history of changes. It’s one of the best sites for quick, simple OSINT checks on websites.

What You Can Do With ViewDNS

ViewDNS gives you multiple tools in one place:

1. DNS Lookup – shows DNS records (A, MX, TXT, etc.)

2. Reverse IP Lookup – find all domains hosted on the same server

3. Whois Lookup – get domain ownership info

4. IP Location – shows country and sometimes city

5. Reverse Whois – find all domains owned by the same person/company

6. Historical Whois – view past ownership information

7. Traceroute – track the route between your system and a server

This is useful for mapping an organization’s online footprint.

viewdnsinfo

IP History Viewdnsinfo

---

f. Whoxy

Whoxy is a WHOIS-lookup & domain-intelligence service.it shows domain ownership history. Link: whoxy.com

It offers several features:

• 1. WHOIS Lookup — fetch current public registration data for a domain. whoxy.com

  2. WHOIS History — see past registration / ownership info for domains.

  3. Reverse WHOIS / Reverse Lookup — find all domains associated with a given registrant name, email or organization

 

2. Archived & Cached Pages

a. Wayback Machine

Link: web.archive.org
How to use:
Paste a website URL → browse older versions, including deleted pages.
Great for getting information someone tried to hide.

Waybackmachine

Thecomputer

Great for getting information someone tried to hide.

---

b. Google Cache

Link: Use: cache:website.com/page
How to use:
Type in the browser:

cache:x.com/someprofile

This gives Google’s last stored version of the page.

---

c. Archive.today

Link: archive.ph
How to use:
Paste any page → it saves a snapshot that cannot be removed by the website owner.

3. Social Media Intelligence

a. Instagram/Facebook

Link: instagram.com
How to use:
Search a place name in the search bar, pick “Places”  see all posts uploaded from that location, you can also use advanced keyword search by quoting the word, "John Doe".

Also, facebook holds massive informations about individuals when carrying-out OSINT it is important to check most of this platforms.

---

b. Twitter/X Advanced Search

I personnally use Twitter/X for OSINT and I highly reccomend using it, in cases of blockchain address OSINT Twitter/X tend to be handy.

Link: x.com/search-advanced
How to use:
Filter posts by:

Words, Date, Location, Account

Example:
Search tweets from a place using the operator:

near:"Abuja" within:5km

---

c. LinkedIn Search Filters

Link: linkedin.com
How to use:
Filter by company, job title, country, or keywords  great for profiling people or companies, you can also use advanced keyword search "Linda Shibuya".

Safety tips: when searching or carrying-out OSINT on linkedln ensure you set your account privacy to anonymous so it doesn't alert the user that you are visiting their profile.

---

5. Image Information

a. ExifTools

Link: exif.tools

How to use:
Upload an image → It reveals EXIF metadata like:

1. Camera type

2. Date taken

3. GPS coordinates (if not removed)

Also, you can use the tool directly from linux terminal

exiftool <imagename>

---

b. Google Lens

Link: lens.google
How to use:
Upload or paste an image → Google shows similar images and where else it appears online.

Online Communities, Dark Web & Virtual Currencies

a. Reddit OSINT Searches

Reddit is an online community app that holds massive informations, through reddit you can get informations online

Link: reddit.com
How to use:
Search keywords like:

1. “company name + leak”

2. “username + subreddit”

---

b. Ahmia (Dark Web Search Engine)

Link: ahmia.fi
How to use:
Use Tor Browser → visit the site → search .onion sites safely.

I can't provide informations or procedures to do this.

---

c. Blockchain Explorer

Link: blockchain.com/explorer
How to use:
Paste any Bitcoin wallet address → see transaction history, wallet activity, and movement of funds.

---

d. OnionScan

Link: github.com/s-rah/onionscan
How to use:
Run scan on a .onion site → it reveals:

1. Linked services

2. Leaks

3. Security issues

Reporting

Reporting is the final step in any OSINT investigation. It’s where you take everything you found and present it clearly so someone else can understand the results without guessing.

A good OSINT report should:

1. Stay factual – no assumptions or personal opinions

2. Show evidence – screenshots, links, timestamps

3. Be organized – separate findings by section (domain info, social media, images, etc.)

4. Explain the relevance – why each piece of information matters

5. Be easy to read – simple language, short paragraphs

Think of reporting as telling a story of what you discovered, step by step, in a way that someone who wasn’t there can follow and verify every detail.