OSINT investigators have some seed data when they start an investigation, for instance they may start with an email address. When we conduct OSINT investigations, having a target’s email address can sometimes result in finding a goldmine of information about the user of that email. The purpose may be to find as much information about a target’s email such as finding out what sites have registered accounts and then understanding what that means for that target. This blog post covers my top 5 favourite OSINT resources when working with email addresses.
Let’s look at some effective OSINT tools that reveal where email addresses have been used and provide additional information related to that email address, thus giving us more data to analyze.
1. Epieos https://tools.epieos.com/email.php is an account finder tool that finds account information without notifying the user. When you enter an email and complete the captcha, you receive results of where that email has been used online. In the example noted below, it displays that the searched email has accounts on the sites Twitter, Spotify, Nike, Google, Eventbrite and Amazon. As an OSINT person this tells me I should try to find out if the profiles on these sites can be located by using a search engine or going directly to the site.
- Find out where an email address has accounts
- Pivot on that information to find more data about that account and user for instance, if the user has Google maps reviews which may reveal connections to other people or businesses.
- If there is an image in the Epieos results, right click and open in a new tab to get a larger image
- Reverse search that image to see where else it exists online
2. Skype search via the Skype App and it allows you to search for not only email addresses but names, usernames and phone numbers to see if they are associated with a Skype profile. As noted in the example below, we search for an email and find a profile associated to the email.
Search for an email and find a linked Skype profile.
Skype username and birthday.
Finding an account linked to a target may reveal the following details which can assist with building up a profile on a target:
- Profile name
- Profile photo
3. Whoxy https://www.whoxy.com is a website related to several WHOIS related searches. My favourite one is the reverse WHOIS lookup for finding websites linked to email addresses. Note that reverse WHOIS can also display historical information that is not always valid so it’s important to verify your findings. In the example below, from the dropdown search select “email address”, enter an email and click search. The results display a website associated with that email address. This is where you would conduct research on this website and who might be associated with it. If the site is no longer available online, I suggest searching on the Wayback machine to see if it was captured there.
- Find websites associated to a target email
- Pivot on the website information to find more data about it.
- Use the Wayback machine to find historical captures of the site.
4. HaveIBeenPwned https://haveibeenpwned.com is a website to check if an email or phone number was part of a data breach. In the example below we entered a target’s email address and found out there’s been 9 data breaches associated with this email address. The results indicate platforms such as Dropbox, Epik, and LinkedIn which tell us this target has or had profiles setup on these platforms.
HaveIbeenpwned.com search box
Results from HaveIbeenpwned.com
- Find out where an email address has or had profiles.
- Pivot on that information by looking on those platforms if there’s any open information about the target.
5. That’s Them https://thatsthem.com is a people search engine that allows you several different ways including via email address. The results can vary from detailed information about a target or minimal information where the site redirects to a service that wants you to pay for the search results. I have not used the paid method as I often find useful results in the free version. Common results include: the owner’s name, location and phone number. Keep in mind these results are for people who reside in the United States.
Thatsthem.com search box
Results from Thatsthem.com
- Find the name of the person using an email address.
- Find the location, phone number and other important details related to the email address.
- Pivot on the information in the results, meaning take the information and search in other places such as Google and Bing.
I know I said 5 resources for email addresses but here’s another one for good luck!
Remember MySpace?!! Well, alot of people still have profiles on that platform so you can sometimes find someone’s old profile, if they left it up, and sometimes you can find posted photos and connections to people.
Enter the following URL in your browser: https://firstname.lastname@example.org
and replace “email@example.com” with the target’s email address.
Posted Photos from MySpace related to the email address searched.
Connections to people on this MySpace profile.
Regardless of the OSINT tools we use, it’s important to have the ability to articulate, i.e. explain the why, what, and how of your actions when conducting online research. This means being thorough with understanding the OSINT tools you use and how they work.
It’s helpful to organize your OSINT tools. I organize mine according to the searchable data type I have (email address, phone number. etc). That way when I have the task of searching only using an email address, I have the list of resources that will give me a starting point. Remember to add these 6 resources to your OSINT lists when looking for information related to an email address.
Hope these tips have been helpful!
Stay OSINT Curious!