OSINT Investigation Workflow
A structured approach to open-source intelligence gathering, from target identification through to reporting. Covers passive reconnaissance, social media analysis, email and phone lookups, and data correlation.
Define Your Target and Scope
Before touching any tool, get clear on what you're looking for and what's in scope. Are you investigating a person, an organization, a domain, or an incident? Write down your known starting points - a name, email address, username, domain, phone number, or IP address. This becomes your seed data.
Tip: Keep a running log from the start. Every finding should be timestamped and sourced. You'll thank yourself later when you need to write this up.
Email and Username Reconnaissance
Start with the lightest touch. If you have an email address, check which platforms it's registered on. If you have a username, search for it across hundreds of sites. This builds your initial map of the target's digital footprint without generating any alerts.
Tools for this step
Holehe
Sherlock
Maigret
WhatsMyName
socialscanTip: Holehe uses password reset flows to check email registrations - the target won't be notified. Sherlock and Maigret cast a wide net across hundreds of platforms. Run all three, they each catch sites the others miss.
Phone Number and Identity Lookups
If you have a phone number, check which platforms it's linked to. Cross-reference with email findings to build a more complete picture. Look for patterns - does the target reuse usernames? Do they have accounts on platforms that suggest specific interests or locations?
Tools for this step
PhoneInfogaTip: PhoneInfoga queries multiple data sources for phone number intelligence. Ignorant checks platform registrations via password reset flows, similar to how Holehe works for emails.
Social Media Deep Dive
With a list of confirmed accounts, dig deeper into each platform. Look for connections, posted content, check-in locations, photos with metadata, follower/following lists, and activity patterns. Public social media posts are some of the richest OSINT sources available.
Tools for this step
Social Analyzer
Instaloader
Twint
OsintgramTip: Instaloader can download entire Instagram profiles including stories and metadata. Twint scrapes Twitter without needing API access. Social Analyzer correlates accounts across platforms automatically.
Domain and Infrastructure Recon
If the investigation involves a domain or organization, map their infrastructure. Find subdomains, identify hosting providers, check DNS history, and look for related domains. Certificate transparency logs are a goldmine for discovering subdomains and related services.
Tools for this step
Subfinder
Amass
theHarvester
SpiderFootTip: SpiderFoot automates the entire OSINT process and correlates findings. theHarvester pulls emails, subdomains, and IPs from multiple search engines. Use Subfinder and Amass together for the most complete subdomain list.
Data Aggregation and Correlation
Pull all your findings together. Look for connections between the data points you've collected - shared usernames across platforms, email addresses linked to domains, phone numbers associated with accounts, locations that appear in multiple sources. This is where individual data points become intelligence.
Tools for this step
Recon-ngTip: Maltego's graph visualization is excellent for spotting connections you'd miss in a spreadsheet. SpiderFoot can automate correlation across dozens of data sources. Take screenshots of everything - web content can disappear at any time.
Document and Report
Organize your findings into a structured report. Include your methodology, tools used, all findings with sources, a timeline of the target's online activity, and your analytical conclusions. A good OSINT report should be reproducible - someone else should be able to follow your steps and reach the same findings.
Tip: Use CyberChef to decode any encoded data you've collected. Keep raw evidence (screenshots, exported data) separate from your analysis. Date everything.
Other Workflows
Web Application Penetration Test
A systematic approach to testing web applications for security vulnerabilities. Covers reconnaissance, mapping, vulnerability discovery, exploitation, and reporting.
Active Directory Attack Path
From initial foothold to domain admin. A step-by-step approach to enumerating and attacking Active Directory environments during authorized penetration tests.
Cryptocurrency Tracing Workflow
Tracing cryptocurrency transactions from a known address through the blockchain. Covers wallet identification, transaction graph analysis, exchange detection, and entity attribution.