OSINT Investigation — Target Profiling

OSINT Investigation — Target Profiling

This writeup documents an Open Source Intelligence (OSINT) investigation conducted against a fictional sample target for training and portfolio purposes. All techniques demonstrated are passive — no systems were accessed or attacked. The investigation covers person profiling, organisation reconnaissance, domain intelligence, social media analysis, and metadata extraction using publicly available tools and sources.

Engagement Info

• Target: Fictional sample target (training exercise)
• Type: Passive OSINT — Person and Organisation Profiling
• Methodology: OSINT Framework — People, Domains, Social Media
• Tools: Maltego, theHarvester, Shodan, Recon-ng, Exiftool

Step 1 — Defining the Target Scope

Before any investigation begins, the target scope and objectives are clearly defined to keep the investigation focused and legal:

• Full name and known aliases of the target person
• Associated organisation name and domain
• Known email addresses and phone numbers
• Social media accounts and digital footprint
• Physical location indicators and geolocation data

A target profile document was started immediately to record every finding with its source — maintaining a clear chain of evidence throughout the investigation.

Step 2 — Domain and Email Reconnaissance

Domain intelligence was gathered first to map the organisation's infrastructure and identify email address formats:

# WHOIS lookup — registrant info, dates, nameservers
whois target-org.com

# DNS enumeration
nslookup -type=MX target-org.com
nslookup -type=TXT target-org.com

# Subdomain enumeration
theHarvester -d target-org.com \
  -b google,bing,linkedin,hunter

# Find email addresses associated with the domain
theHarvester -d target-org.com \
  -b hunter -f emails.txt

Key findings from domain reconnaissance:

• Registrant name and organisation exposed via WHOIS
• Mail servers and SPF records leaked infrastructure details
• Subdomains discovered — mail., vpn., dev.
• Email format identified as firstname.lastname@target-org.com

Step 3 — Google Dorking

Advanced Google search operators were used to surface sensitive files, exposed directories, and mentions of the target across indexed pages:

# Find indexed documents from the target domain
site:target-org.com filetype:pdf
site:target-org.com filetype:xlsx OR filetype:docx

# Find login portals
site:target-org.com inurl:login OR inurl:admin

# Search for target person mentions
"John Smith" "target-org.com"
"John Smith" site:linkedin.com

# Find cached or archived pages
cache:target-org.com
site:web.archive.org target-org.com

Google dorking surfaced several PDF documents containing staff names, internal project references, and document metadata that revealed software versions used internally.

Step 4 — Social Media Profiling

The target's social media presence was mapped across major platforms using username search tools and manual investigation:

# Username search across platforms
sherlock johndoe123

# Check specific platforms manually:
# LinkedIn  — job history, connections, skills
# Twitter/X — interests, location mentions, associates
# GitHub    — code repositories, email in commits
# Instagram — geolocation tags in photos

Social media findings compiled into the profile:

• LinkedIn revealed current role, employer, and work history
• GitHub commits exposed personal email address in commit metadata
• Twitter posts contained location references and daily routine patterns
• Instagram photos contained EXIF GPS data in older unstripped images

Step 5 — Metadata Extraction

Documents and images collected during the investigation were analysed for embedded metadata using Exiftool:

# Extract all metadata from a PDF
exiftool document.pdf

# Key metadata fields to examine:
# Author       — reveals internal username or full name
# Creator Tool — reveals software and version
# Created Date — reveals timezone (location indicator)
# GPS          — reveals coordinates if image metadata present

# Batch extract from all collected files
exiftool -r ./collected_files/ \
  -Author -Creator -GPSLatitude \
  -GPSLongitude -csv > metadata.csv

A company brochure PDF revealed the author's internal Active Directory username in the Author field — directly usable for credential attacks in a red team context. An image posted publicly still contained GPS coordinates pinpointing a home office location.

Step 6 — Shodan Reconnaissance

Shodan was used to identify internet-facing infrastructure associated with the target organisation's IP ranges and domain:

# Search by organisation name
org:"Target Organisation Ltd"

# Search by domain
hostname:target-org.com

# Find exposed services
org:"Target Organisation Ltd" port:22
org:"Target Organisation Ltd" port:3389
org:"Target Organisation Ltd" http.title:"Dashboard"

# Get IP range from ASN lookup
# Then search the netblock
net:203.0.113.0/24

Shodan findings:

• RDP (3389) exposed directly to the internet on two hosts
• An outdated Cisco router with default Shodan banner detected
• An internal Jenkins dashboard accessible without authentication
• SSL certificate revealed additional internal subdomains via SAN fields

Step 7 — Maltego Link Analysis

All gathered data points were imported into Maltego to visualise relationships between people, domains, IPs, email addresses, and social accounts:

# Maltego transforms used:
# Person > Email Address
# Domain > DNS Names
# Domain > IP Address
# Email  > Social Media Accounts
# IP     > Shodan Results
# Phone  > Owner Lookup

The Maltego graph revealed a cluster of connections linking the target's personal email to a secondary alias used on a developer forum — which in turn exposed additional infrastructure and a previously unknown associate account.

Step 8 — Profile Report

All findings were compiled into a structured OSINT target profile report containing:

• Personal identifiers — full name, aliases, email addresses, phone numbers
• Organisation details — domain, subdomains, IP ranges, exposed services
• Social media accounts — platforms, usernames, activity patterns
• Physical indicators — location references, timezone, GPS metadata
• Technical exposure — open ports, unpatched services, leaked credentials
• Risk rating and recommended defensive actions per finding

Each finding was tagged with its source URL and collection timestamp to ensure the report is reproducible and auditable.

Key Takeaways

• Strip metadata from all documents and images before publishing — Exiftool reveals usernames and GPS coordinates
• WHOIS privacy protection should be enabled on all company domains to hide registrant details
• GitHub commits expose email addresses — use a generic org email for public repository work
• Shodan indexes exposed services within hours of them going online — monitor your external attack surface
• SSL certificate SAN fields can reveal internal subdomains — review certificates before issuing
• Social media operational security is critical — location tags and routine posts enable physical profiling

Tools Used

• theHarvester — email, subdomain, and domain enumeration
• Maltego — link analysis and relationship visualisation
• Shodan — internet-facing infrastructure discovery
• Sherlock — username search across social platforms
• Exiftool — document and image metadata extraction
• Recon-ng — modular OSINT framework and reporting
• whois / nslookup — domain and DNS intelligence
• Google Dorks — advanced search operator reconnaissance