I am often asked by friends and co-workers “How did you do that?” when I produce information that is seemingly impossible to find. I usually reply with, “I’m a ninja”, or “I’m very good at what I do”. This response is usually good enough and we go about our day.
Today, I would like to make a break down of what steps I take in finding what I find. Before I do so, I would like to note a few things. First, anyone can do what I do. The information is out there and freely available if you know where to look (hopefully after this read, you will have an idea). Second, there are people who make information gathering a profession and are way better at it than I am. I am writing on my own experience, which has proven to be valuable in almost every single case.
I start by assessing exactly what it is I am looking for. Is this my own personal interest? Did someone ask me to search for the entity? I say entity because I then determine if it’s a business entity with multiple threads of information or a single person. Let’s look at gathering information on businesses first as that usually leads to employees and follows into information gathering on individual people.
Business Information Gathering
1. Google it: I bet you didn’t see that one coming, huh!? In all seriousness, googling a company yields big results because companies are public by nature. This changes when dealing with individual people, and I will explain that difference a little later.
2. WHOIS lookup: After googling, I usually have a website, location of business, basic idea of the target’s public relations, etc. I take the website and pass it through the whois command line program on my Linux distribution (also available through various websites). With smaller companies, this tends to yield the name of the owner or managing members, an address (more often than not, a personal address), and a phone number. Bigger companies usually have domain name privacy enabled, so I move to the next step.
3. theHarvester: I discovered theHarvester, written by Christian Martorella when using Kali Linux. It has saved so much time in the information gathering process.
theHarvester is a command line program that acts as a spider, crawling the various search engines and LinkedIn. It grabs sub domains, names, and emails if the target’s employees have posted online somewhere.
4. LinkedIn: LinkedIn gets a lot of flak for being a lame social network, but it has power in mapping a corporate hierarchy if the company is active. For the most part, they are. Phone numbers, emails, full names, position titles, and more!
Individual Information Gathering
This is the point where the two branches of information gathering converge. Having a list of employees, or an individual case, we can get more detailed for later social engineering or other tasks.
1. pipl.com: When I was in high school, a detective from the Las Vegas Police Department spoke to our business class about identity theft. He stated that am identity thief needs for pieces of information to steal an identity; First and Last name, Social Security Number (SSN) “sosh”, mother’s maiden name, and birth date. He then mentioned pipl.com as a tool and I’ve been using it ever since. There are other background checking sites out there, but pipl.com has been good to me. Armed with just the first and Last name of a target, I can get potential addresses (at least city level), relatives of the target, potential social network links, and potential age of the target. Which then brings me to the next step.
2. birthdatabase.com: I used to use “anybirthday.com”, but they expanded their services to full background checks for pay. So, I found birthdatabase.com and it has so far served me well. With the target’s name and city of birth (pipl.com), this site can return the birthday of your mark with 98% accuracy.
3. Assessor’s Office: I check the Assessor’s Office of the County where the target resides for any property records in the target’s name. That’s the scary part. This reveals home addresses and all properties owned by the subject. Countermeasure? Put property you own under the name of a trust or business you own. Most people do not do that.
4. Google it: Now why is “googling” the individual target the fourth step? In this order, by this time I have usually eliminated any duplicates (people sharing the same name). So any information Google outputs can be sifted through and information about duplicates can be left alone in an effort to keep the information gathering as pure and accurate as possible.
Case study: when I was first getting my driver’s license at age 17, I was almost denied because there was another person with my name and a criminal record in New York City. I had never been to New York at the time. It was my SSN that saved me. This is what I mean by duplicates.
With the information gathered up to this point, what’s next? Usually, this is when I report back to the person requesting the research. If I am working from my own interest, I keep all of it in the back of my mind until the opportunity arises when I get to use the information. How so? Am I doing a background check? Am I trying to catch someone in a lie? On the business level, I could be building out the corporate hierarchy for potential social engineering exploits. This is where my internet searching usually ends and I then turn to phone calls, and cutting at the edges.
1. Maltego: Another OSINT (Open Source Intelligence) application packaged with Kali Linux.
2. “How To Disappear” written by Frank M. Ahearn.
**REMINDER** Don’t be a creeper. This is for educational and explanatory purposes only.