Authentic8 engineers curated a list of the 21 most widely used OSINT research tools for cybersecurity investigations into sites, their users and owners.

To help investigators make use of the vast expanse of information available on the surface, deep and dark web, Authentic8 experts have curated a list of the most useful tools. With these resources, investigators can simplify their research and improve productivity.

1. OSINT Framework: Find free OSINT resources

OSINT Framework: Find free OSINT resources

WHAT IT IS

OSINT Framework indexes a multitude of connections to different URLs, recommending where to look next when conducting an investigation. It also provides suggestions on what services can help analysts find specific data that might aid in their research.

USE CASE

When you plug a piece of data (such as an email address, phone number, name, etc.) into the framework, it returns all known online sources that contain information relevant to that data. OSINT Framework also offers a list of potential resources where more information related to that particular source can be found.

2. IDA Pro: Perform state-of-the-art binary code analysis

IDA Pro: Perform State-of-the-Art Binary Code Analysis

WHAT IT IS

The source code of the software isn’t always available. A disassembler like IDA Protranslates machine-executable code into readable assembly language source code, enabling research specialists to analyze programs that are suspected to contain malware or spyware.

USE CASE

An incident response team loads a malicious artifact found on a breached server into IDA Pro to further analyze and understand its behavior, potential damage and method of traversal. IDA Pro can also be used as a debugger to aid analysts in reading and examining the hostile code.

3. Creepy: Gather geolocation information

Creepy: Gather Geolocation Information

WHAT IT IS

Creepyis a geospatial visualization tool that centralizes and visualizes geolocated information pulled across multiple online sources.

USE CASE

Once the plugin is configured, a user can feed the tool a social media artifact. Creepy draws all available locations on the map, allowing the user to see where the devices were located when the information was posted.

4. Maltego Transform Hub: Mine, merge and map information

Maltego Transform Hub: Mine, Merge and Map Information

WHAT IT IS

Integrate data from public sources, commercial vendors and internal sources via the Maltego Transform Hub.All data comes pre-packaged as Transforms, ready to be used in investigations. Maltego takes one artifact and finds more.

USE CASE

A user feeds Maltego domain names, IP addresses, domain records, URLs or emails. The service finds connections and relationships within the data and allows users to create graphs in an intuitive point- and-click logic.

5. DNSdumpster: Find and look up DNS records

DNSdumpster: Find and Look Up DNS Records

WHAT IT IS

DNSdumpsteris a free domain research tool that can discover hosts related to a domain. Finding visible hosts from the attackers’ perspective is an important part of the security assessment process.

USE CASE

After a user enters a domain name, DNSdumpster identifies and displays all associated subdomains, helping map an organization’s entire attack surface based on DNS records.

6. TinEye: Reverse image search

TinEye: Reverse Image Search

WHAT IT IS

TinEyeis an image-focused web crawling database that allows users to search by image and find where that image appears online.

USE CASE

An investigator uploads an image to TinEye or searches by URL. TinEye constantly crawls the web and adds images to its extensive index (as of August 2021, over 48 billion images).

7. Shodan: The search engine for the IoT

Shodan: The Search Engine for the IoT

WHAT IT IS

Websites are just one part of the internet. Shodanallows analysts to discover which of their devices are connected to the internet, where they are located and who is using them.

USE CASE

Shodan helps researchers monitor all devices within their network that are directly accessible from the internet and therefore vulnerable to attacks.

8. Wayback Machine: Explore billions of webpages

Wayback Machine: Explore Billions of Webpages

WHAT IT IS

Wayback Machineanalyzes websites published across time, allowing researchers to review how the webpage looked when it was originally launched or updated, revealing data that may no longer be visible or searchable through regular search engines.

USE CASE

Suppose a website was seized by the FBI, but the original content is no longer there. Researchers can use Wayback Machine to reveal information that the site may have contained prior to the raid.

9. Have I Been Pwned: Find out if your account has been compromised

9. Have I Been Pwned: Find Out if Your Account Has Been Compromised

WHAT IT IS

The service exposes the severity of the risks of online attacks, while helping victims of data breaches learn about compromises of their accounts. Users can subscribeto receive breach notifications and search for pwned accounts and passwords across domains.

USE CASE

Users can securely enter email addresses and passwords to find out if they have been hacked. The site returns a complete list of breaches where specific accounts have been exposed, and it lists what types of data (email addresses, names, passwords, locations, etc.) have been stolen.

10. CipherTrace: Follow the money

CipherTrace: Follow the Money

WHAT IT IS

Maltego CipherTraceis a popular security research and forensics tool that uses the Bitcoin blockchain to track funds. CipherTrace uses identifiers for criminal, mixer, dark market, gambling, ATM and exchange activities. It comes in the form of a Maltego Transform.

USE CASE

Create directed graphs to track an asset's final destination, even when a Bitcoin mixer attempts to launder the funds.

11. Voter Records: Search anyone’s public records

Voter Records: Search Anyone’s Public Records

WHAT IT IS

Voter Recordsis a free political research tool that contains more than 70 million voter registration records. Details include related public records, political party affiliations, relatives, location, current and previous addresses and more.

USE CASE

A researcher could gain comprehensive information about any person’s affiliations, location and connections.

12. Whitepages: Find people and perform background checks

Whitepages: Find People and Perform Background Checks

WHAT IT IS

Whitepagesoffers reverse name, address and phone number lookup and returns high-level information on any individual or business.

USE CASE

A useful tool for verifying that the persons a researcher is dealing with are who they say they are. Investigators can locate people and businesses, verify their addresses, look up phone numbers and even perform complete background checks.

13. Fake Name Generator: Disguise your identity

Fake Name Generator: Disguise Your Identity

WHAT IT IS

Fake Name Generatorproduces an entire new false identity for a person, including detailed contact information, a mother’s maiden name, street address, email, credit card numbers, phone number, social security number and more.

USE CASE

A fake identity can be useful for filling out online forms without giving out personal details, using it as a pseudonym on the internet, testing payment options with randomly generated credit card numbers and all other types of research where an analyst doesn’t want to expose his or her real identity.

14. CityProtect: Explore crime maps

CityProtect: Explore Crime Maps

WHAT IT IS

CityProtectis a crime visualization site. Users provide a location within the U.S., along with some other parameters, and detailed crime reports are delivered. The reports are rendered geospatially.

USE CASE

A user can analyze quantified criminal behavior in a geographic area over time to help build an intelligence-lead brief.

15. Torch Search Engine: Explore the darknet

Torch Search Engine: Explore the DarkNet

WHAT IT IS

Torch,or TorSearch, is a search engine designed to explore the hidden parts of the internet. Torch claims to have over a billion darknet pages indexed and allows users to browse the dark web uncensored and untracked.

USE CASE

Torch promises peace of mind to researchers who venture into the dark web to explore .onion sites. It also doesn't censor results — so investigators can find all types of information and join discussion forums to find out more about current malware, stolen data for sale or groups who might be planning a cyberattack.

16. Dark.fail: Go deeper into the darknet

Dark.fail: Go Deeper into the Darknet

WHAT IT IS

Dark.failhas been crowned the new hidden wiki. It indexes every major darknet site and keeps track of all domains linked to a particular hidden service.

USE CASE

Tor admins rely on Dark.fail to disseminate links in the wake of takedowns of sites like DeepDotWeb. Researchers can use Dark.fail when exploring sites that correlate with the hidden service.

17. PhishTank: Research suspected phishes

PhishTank: Research Suspected Phishes

WHAT IT IS

PhishTankis a free community site where anyone can submit, verify, track and share phishing data. PhishTank also provides an open API for developers and researchers to integrate anti-phishing data into their applications.

USE CASE

Users submit suspicious URLs via email, and PhishTank identifies, verifies, tracks, confirms and publishes phishing site on its webpage.

18. HoneyDB: Community-driven honeypot sensor data collection

HoneyDB: Community-Driven Honeypot Sensor Data Collection

WHAT IT IS

HoneyDBhas multiple honeypots throughout the internet waiting to be attacked. The service logs complete details of an attack (including IP address) and the binary that was used to execute it, then lists them in its database. HoneyDB enables users to run a reverse search on IOCs and correlates it back to campaigns happening on its honeypots.

USE CASE

A campaign that uses a unique exploit to commit a wide-spread attack on every system possible would most likely infect one or more of the honeypots. A user then accesses detailed information on the attack to gather information about its intentions and perpetrators.

19. ThreatMiner: IOC lookup and contextualization

ThreatMiner: IOC Lookup and Contextualization

WHAT IT IS

ThreatMineris a threat intelligence portal designed to enable an analyst to research indicators of compromise (IOCs) under a single interface. That interface allows for not only looking up IOCs but also providing the analyst with contextual information. With this context, the IOC is not just a data point but a useful piece of information and potentially intelligence.

USE CASE

Identify and enrich indicators of compromise to have a better understanding of attack origins.

20. VirusTotal: Analyze suspicious files and URLs

Virus Total: Analyze suspicious files and URLs

WHAT IT IS

VirusTotalinspects items with over 70 antivirus scanners and URL/domain blacklisting services. Scanning reports produced by VirusTotal are shared with the public to raise the global IT security level and awareness about potentially harmful content.

USE CASE

Users can select a file from their computer using their browser and send it to VirusTotal. Results are shared with the submitter, and also between the examining partners, who use this data to improve their own systems.

21. ExploitDB: The most comprehensive exploit collection

ExploitDB: The Most Comprehensive Exploit Collection

WHAT IT IS

The Exploit Databaseis an archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Exploits are collected throughout the internet and through user submissions, then archived for community use.

USE CASE

The Exploit Database is a repository for publicly available exploits, making it a valuable resource for those who need actionable data at their fingertips.

 

Silo for Research: Secure, anonymous online investigations

Silo for Research launch screen

WHAT IT IS

Silo for Research is a purpose-built solution for conducting online research without exposing analysts’ digital fingerprint. Safely pursue investigations across the surface, deep or dark web from a cloud-based browsing interface while controlling how you appear online.

USE CASE

Blend in with the crowd and avoid tipping off your suspect. Manipulate your location, time zone, language and keyboard settings, device type, browser and much more. Keep investigative browsing completely segregated from your device to prevent infection, tracking or identification that could spoil your investigation or make you a target.

 

To learn more about Silo for Research, download the data sheet or visit our experience center to explore the solution.

TAGS OSINT

About the Author

A8 Team
A8 Team
Contribution Team U.S.A.

Authentic8 Team is a group of cybersecurity enthusiasts, investigation sleuths, top-notch engineers, news junkies, policy wonks and all-around fervent writers hell-bent on bringing you the best darn blog in the industry. 

Related Resources

Success Story
Success Story

Location, Location, Location: Helping SOC Investigate Region-Specific Malware

Manufacturer’s SOC uses regional egress nodes to prevent getting blocked while investigating region-specific malware.

Data Sheet
Data Sheet

Silo for Research

Silo for Research (Toolbox) is a secure and anonymous web browsing solution that enables users to conduct research across the open, deep and dark web.

Guide
Guide

Open and Dark Web Research: Tips and Techniques

How to access and analyze suspicious or malicious content without exposing your resources or identity

Close
Close