OSINT Compendium

OSINT Tooling Catalog & Investigation Playbooks

Executive summary for leadership

• This document consolidates OSINT tools and repeatable playbooks to accelerate investigations, due diligence, threat triage, and incident response while reducing ad‑hoc tool sprawl.
• Primary risks are legal/regulatory exposure (privacy, platform terms), operational security (pivot leakage), and evidentiary weakness (poor capture, unverifiable sources).
• Governance is non‑optional: define acceptable use, conduct privacy impact assessment where required, set retention and access controls, and ensure vendor due diligence for paid platforms.
• Operationalize via standard playbooks, controlled environments (separate profiles/VMs), and evidence handling (time-stamped capture + hashing).
• Measure effectiveness via case cycle time, rework rate (false leads), and evidentiary acceptance rate in internal/legal review.

Table of contents

• Scope and intended use
• Governance and compliance
• Operating principles
• Quickstart playbooks
• OPSEC baseline
• Evidence handling
• Tool catalog
• Maintenance
• Changelog

Scope and intended use

• Intended audience: security operations, investigations, fraud/abuse, compliance, corporate security, threat intel.
• Scope: publicly available information and legitimately accessed data sources. This is not a guide to bypass access controls, scrape in violation of terms, or obtain data unlawfully.
• Outputs: leads, hypotheses, and evidence artifacts; all conclusions must be corroborated.

Governance and compliance

[!IMPORTANT] Treat OSINT as regulated data processing when it involves personal data. If your organization operates in the EU/UK or similar jurisdictions, validate lawful basis, proportionality, retention, and security controls.

• Acceptable use: define permitted purposes (e.g., fraud prevention, incident response), prohibited purposes (e.g., personal stalking, employment decisions without due process).
• Platform terms: many sources forbid automated collection; use APIs where available and document terms constraints in case notes.
• Data protection: minimize data, segregate cases, limit access by role, apply retention schedules, and log access to sensitive artifacts.
• Sanctions / export controls: validate tool vendors, hosting regions, and any restricted entities before procurement or use.
• Cloud AI: never paste sensitive PII, credentials, non-public indicators, or unique pivots into cloud LLMs. Redact and/or use local tooling.

Operating principles

• Triangulate: no single source is authoritative; corroborate across independent sources.
• Preserve context: capture full pages, not just snippets; record timestamps and access paths.
• Minimize pivot leakage: avoid logging into personal accounts or reusing cookies/profiles across cases.
• Document assumptions: explicitly separate facts, inferences, and unknowns in notes.

Quickstart playbooks

1) Person identity resolution (non-invasive)

1. Start with unique identifiers (email, username, domain, or organization) before names.
2. Run username/email pivots and capture results (screenshots + URLs).
3. Validate with independent sources (archives, official registries, multiple platforms).
4. Build a minimal identity graph (handles, emails, domains, known associates) and note confidence levels.

2) Company due diligence and ownership signals

1. Identify official web presence and corporate identifiers (legal name, registration number, VAT).
2. Use company registries and business intelligence sources; corroborate across jurisdictions.
3. Review media and sanctions context; preserve citations and capture snapshots.
4. Map infrastructure: domains, certificates, ASNs, hosted services; correlate with known brands cautiously.

3) Image/video verification

1. Extract metadata and generate hashes of files; store originals read-only.
2. Run reverse search across multiple engines; compare earliest known appearance via archives.
3. Check manipulation/provenance signals (content credentials where present) and look for inconsistencies (shadows, EXIF gaps, compression artifacts).
4. Document why a match is credible (visual landmarks, upload timing, independent reposts).

4) Geolocation and timeline

1. Collect candidate location hints (signage, terrain, weather, transport lines).
2. Confirm with maps + satellite and street-level sources; record coordinates and reference imagery.
3. Use time cues (sun angle, shadows, known schedules) cautiously; always label as inference.

5) Crypto wallet and transaction triage

1. Identify chain, address format, and first/last activity; keep chain-specific explorers as sources of record.
2. Use on-chain explorers and (where authorized) analytics platforms to cluster activity and identify counterparties.
3. For high-stakes cases, preserve transaction pages and include block numbers, timestamps, and transaction hashes in notes.

6) Infrastructure and attack-surface context

1. Enumerate domains/subdomains and certificates; map to hosting/ASN and known services.
2. Monitor new issuances, DNS changes, and exposed services; document tool versions and timestamps.

OPSEC baseline

• Use a dedicated browser profile (or VM/container) per case; avoid cross-case cookies and auto-logins.
• Prefer read-only viewing; avoid interacting with targets (no follows/likes/messages).
• Consider a research network boundary (VPN, egress controls) and prevent accidental account correlation.
• Avoid reusing unique pivots in third-party tools that may log queries; treat paid enrichment and AI as data processors.

Evidence handling

• Capture URLs, timestamps (with timezone), and page snapshots (PNG/PDF plus WARC/SingleFileZ) for key artifacts.
• Hash downloaded files (SHA‑256) and store hashes alongside originals.
• Keep a case log separating facts, inferences, and open questions; include tool versions for reproducibility.
• Store evidence read-only; prevent cross‑contamination by separating storage per case.

Tool catalog

Legend (optional tagging): [Free] [Freemium] [Paid] [API] [Dataset] [Extension] [Account] [Cloud]

Core indexes

• Bookmarks — Comprehensive list of various OSINT bookmarks.
• OSINT Framework — A comprehensive collection of OSINT tools and resources.

General OSINT

• Country Specific Resources — To help you specifically look for things a certain country
• CyberSudo OSINT Toolkit — List of OSINT Websites
• Distributed Denial of Secrets — Leaked Data
• GeoGuesser Top Tips — Top Tips and Tricks for Geolocation
• Google Dorks — Helps you search google more efficiently
• IntelTechniques Tools — A suite of OSINT tools for various investigative needs.
• Online Investigation Toolkit — A curated list of tools used by investigative journalists

Search Engines

• Brave Search — independent index; Goggles for custom ranking
• Carrot2 — organizes your search results into topics
• etools — metasearch engine
• Google Fact Check Explorer — cross-site fact-check search
• Kagi Search — privacy-first search with Lenses and non-personalized results
• PDF Search — searching for PDF files and viewing their table of content

Username and Email Investigation

• ContactOut — Discover Email Addresses
• Emailable — Verify if Email exists
• EmailRep — Check email reputation and associated data.
• Epieos — Email address pivots and metadata (when available)
• GetProspect Extension
• Holehe — Check if an email is registered on online platforms.
• Hunter.io — Find email addresses associated with a domain.
• Maigret — Collect profiles from various sites by username.
• Mugetsu — X/Twitter username history & meme coin lookups
• NameCheckup — Find Available Username
• Namechk — Check username availability across multiple platforms.
• OSINT Industries — Email/username/phone lookups
• PhoneInfoga — Information gathering framework for phone numbers
• RocketReach / Apollo / Dropcontact : Enrichment and email pattern guessing
• Sherlock — Find usernames across social networks.
• SignalHire Extension
• What’s My Name — Search for usernames across multiple platforms.

People Search

• Clearbit — Data enrichment for companies and individuals.
• FaceCheck — Find people by their picture
• FaceSeek — another reverse search for faces
• Pipl — Deep web people search (Note: primarily a paid service).
• Spokeo — People search engine.
• TruePeopleSearch — Free people search in the U.S.
• Webmii — People search engine
• WhitePages — Find people and contact information

Social Media

• Bluesky/AT Protocol:
  • Bluesky Directory — User directory and starter pack discovery
• Facebook Friends — graph search alternative
• Facebook Graph Search — Advanced Facebook search techniques.
• Facebook ID Lookup — to find ID of a user on Facebook
• Facebook Search — searching for posts
  • Fedifinder — Find Twitter/X users on Mastodon
  • FediSearch — Cross-instance post search
  • Fediverse Observer — Instance enumeration and stats
  • Fediverse.party — Platform directory and network map
  • Firesky — Real-time firehose monitoring for keywords/hashtags
• Mastodon/Fediverse:
• Meta Content Library — Researcher‑gated content search (CrowdTangle successor)
• Picuki — View Instagram profiles and posts without an account.
• RedTrack.social — Reddit user analysis and post history tracking
• Reveddit — View removed Reddit content for context
• Search4Faces — search for a face in social media.
  • SkyView — Follower graphs and network analysis
• snscrape — Actively‑maintained CLI scraper for X/Twitter, Reddit, Telegram, and more. Prefer this over Twint.
• Social Blade — Analytics for YouTube, Twitch, Instagram, and more.
• Threads by Instagram: Use Instagram OSINT tools; Threads shares Instagram account infrastructure
• Tokboard — TikTok trend and profile analytics (APIs change frequently)
• Twint (unstable; breaks when APIs change) — use only if snscrape cannot cover a need.

Phone Number

• Advanced Background Checks — shows all people that used the phone number
• CallerIDTest — Phone Search
• FreeCarrierLookup — Carrier/type lookup for US numbers
• Infobel — Phone search outside of USA
• NumlookupAPI — Programmatic carrier/line-type checks [Freemium]
• ThatsThem — Reverse phone search
• TrueCaller — Caller ID and Spam Blocking App

Public Records and Company Information

• EU Tenders (TED) — EU public procurement notices
• IFC Disclosure — Project disclosures and documents
• MuckRock — FOIA repository and request tracking
• OpenCorporates — World’s largest open database of companies.
• OpenOwnership Register — Beneficial ownership datasets
• SEC EDGAR — U.S. Securities and Exchange Commission’s database for company filings.
• World Bank Projects & Operations — Project and procurement records

Leaks

• BreachDirectory — Search credentials exposed in recent breaches
• Cavalier (Hudson Rock) — Infostealer lookups
• Dehashed
• Have i been pwned
• IntelX
• LeakCheck
• LeakPeek — Database breach lookups
• Phonebook
• PwdQuery
• Pwned Passwords API — K‑anonymity password checks without revealing the full hash
• Scattered Secrets
• Snusbase — Database breach lookups
• Snusmap — Visual browser for leaked‑data collections

Cryptocurrency OSINT

Blockchain Analysis

• Blockchain.com Explorer — Bitcoin and crypto search engine
• Blockchair — Bitcoin block explorer
• BSCScan — BNB Smart Chain explorer
• Cielo — Multi-chain wallet tracking (EVM, Bitcoin, Solana, Tron, etc)
• Dune — Analytics platform to query blockchain data
• Etherscan — Ethereum blockchain explorer
• Impersonator — Chrome extension to spoof login to dApps
• MetaSuites — Chrome extension for additional data on block explorers
• OKLink — Multichain explorer and analytics [Freemium]
• PolygonScan — Polygon PoS blockchain explorer
• Solscan — Solana blockchain explorer

Layer 2 / Rollup Explorers

• Arbiscan — Arbitrum One and Nova explorers
• BaseScan — Base (Coinbase L2) explorer
• Blast Explorer — Blast L2 explorer
• Growthepie — L2 metrics and analytics aggregator
• L2Beat — Risk analysis, TVL, and technology comparison for all L2s
• Optimistic Etherscan — Optimism mainnet explorer
• Polygon zkEVM Explorer — Polygon zkEVM rollup
• Scroll Explorer — Scroll zkEVM explorer
• Voyager / StarkScan: StarkNet block explorers
• zkSync Era Explorer — zkSync Era (zkEVM) block explorer

Wallet Investigation

• BitcoinAbuse — Track bitcoin addresses used for scams
• Chainalysis — Professional blockchain analysis platform
• Crystal Blockchain — Blockchain analytics and monitoring
• Wallet Explorer — Bitcoin wallet transaction clustering

Transaction Tracking

• Arkham — Multichain block explorer, entity labels, graphs, alerts
• BitQuery — Blockchain data analysis and APIs
• Breadcrumbs — Visual graphing and labeling for crypto flows [Freemium]
• Bubblemaps — Holder concentration visualization; identify whale clusters
• CipherTrace — Cryptocurrency intelligence
• CryptoTaxCalculator — Track PNL for an address
• Dextools — DEX trading analysis and charts
• GraphSense — Cryptocurrency analytics platform
• MetaSleuth — Similar to TRM but intended for retail users
• Nansen — On-chain analytics with Smart Money labels (paid; expensive)
• Token Sniffer — Honeypot and scam token detection
• TRM — Create graphs for addresses/transactions
• Whale Alert — Track large crypto transactions

Bridge Monitoring

• L2Beat Bridges — Risk analysis for bridges and tokens [Free]
• Pulsy — Bridge explorer aggregator
• Range — CCTP bridge explorer
• Socketscan — EVM bridge explorer

NFT Analysis

• Alchemy NFT API — NFT metadata and ownership APIs [Freemium]
• DappRadar — Track NFT sales and marketplace activity
• Nansen — NFT analytics platform
• NFTScan — Multi-chain NFT explorer
• OpenSea — NFT marketplace explorer
• Reservoir — Unified NFT metadata and market data API [Freemium]

Exchange Intelligence

• Binance Intelligence — Exchange activity monitoring
• CoinGecko — Cryptocurrency market data
• CoinMarketCap — Price tracking and market analysis
• Glassnode — On-chain market intelligence

Media Intelligence

Image Analysis

• Alamy
• Forensically — ToolSet for digital image forensics.
• Getty
• Google reverse image search — reverse image search engine.
• PimEyes — change a picture and then search
• Shutterstock
• TinEye — reverse image search.
• Yandex images — effective for Russian and eastern European content.

Browser Extensions

• EXIF Viewer Pro — View EXIF data in-browser.
• Fake News Debunker by InVID & WeVerify — Verifies images and videos.
• RevEye Reverse Image Search — Reverse image search extension.
• Search by Image — reverse image search tool, with support for various search engines
• Wayback Machine Extension — Quick access to archived web pages.

Video Analysis

• Frame-by-Frame Video Player — Analyze videos frame by frame.
• InVID & WeVerify Video Verification Tool — Browser extension for video verification.
• Snap Map (public stories) for area/event context
• YouTube Data Viewer — Extract metadata from YouTube videos.
• YouTube Geo Tag — Find location of a video via geo tags

Metadata Extraction

• ExifTool — Read, write, and edit metadata.
• FOCA — Analyze metadata and hidden information in documents.
• Jeffrey’s image metadata viewer — online image metadata viewer.
• Jimpl
• MediaInfo — Technical and tag information about video or audio files.
• Metagoofil — Extract metadata from public documents.

GeoSpatial Intelligence

Satellite Imagery and Mapping

• Bing Maps — Alternative mapping service.
• Google Maps — Mapping and satellite imagery.
• Memento Timemap — Aggregate archive index for any URL (for map UIs and tiles)
• NASA FIRMS — Fire data and HotSpots.
• NASA Worldview — Satellite imagery from NASA.
• NOAA Maps — Coastal imagery.
• Open Infrastructure Map — Visualize global infrastructure(Water, Power, Gas, etc) networks
• OpenStreetMap — Open-source map of the world.
• Sentinel Hub EO Browser — Access to satellite imagery from Sentinel and Landsat.
• Wayback Imagery — Historical satellite images.
• Windy — Live weather map.
• Zoom Earth — Live satellite images and weather data.

Tools and Applications

• C2PA Verify — Verify embedded content credentials
• GeoNames — Geographical database.
• KartaView — Open-source street-level imagery.
• Mapillary — CrowdSourced street-level imagery.
• Marble — Virtual globe and world atlas.
• Overpass Turbo — Advanced querying of OpenStreetMap data.
• PeakVisor — Identify mountain peaks.
• SAS Planet — Satellite imagery viewing application.
• SunCalc — Sun position calculator for Chronolocation.

Street View

• Apple Maps — Alternative mapping service.
• Baidu Maps — Chinese mapping service.
• Google Street View — Street-level imagery.
• Yandex Maps — Russian mapping service with street view.

Flight OSINT

• ADSBExchange — Unfiltered community ADS‑B flight tracking feed
• AirFrames
• FlightAware
• FlightRadar
• JetPhotos — Spotter photos for visual confirmation
• Planespotters — Fleet/airframe history and photos by tail number
• RadarBox

Maritime OSINT

• FleetMon — Historical AIS data and analytics
• Global Fishing Watch — Fishing vessel behavior and AIS gap analysis
• MarineTraffic — Live AIS vessel tracking
• VesselFinder — Global ship movements and port calls

AI‑Assisted OSINT Platforms

Commercial/Enterprise AI Tools

• Cylect — AI‑powered entity extraction and link‑analysis workspace
• DarkOwl Vision — AI-powered darknet data collection and analysis
• Fivecast Matrix — Generative‑AI triage and risk scoring for large social‑media datasets
• Recorded Future — AI-driven threat intelligence and entity tracking

AI-Powered Analysis

[!WARNING] Treat cloud AI prompts as potentially retained by providers and/or their subprocessors. Do not paste sensitive PII, non-public indicators, credentials, or unique pivots. Use redaction, synthetic examples, or local models.

• Anthropic Claude — Large-document review and synthesis (use only with sanitized inputs) [Cloud]
• Google Gemini — Multimodal analysis and research assistance (use only with sanitized inputs) [Cloud]
• Microsoft Copilot — Bing-backed search assistance for generic queries (avoid pasting sensitive pivots) [Cloud]
• OpenAI ChatGPT — General-purpose analysis, text extraction, data triage (use only with sanitized inputs) [Cloud]

• Perplexity — Web search + citation-style answers for background context (avoid pasting sensitive pivots) [Cloud]

  • GPT4All — Local inference and chat
  • LM Studio — Local model UI
• Local / self-hosted LLM runners (privacy-preserving):
  • Ollama — Run open models locally

Specialized AI OSINT Tools

• Adobe Content Credentials Verify — Alternative C2PA verifier
• CarNet — Identify car models via AI (useful for geolocation)
• FingerprintJS — Browser fingerprinting and bot detection
• Hive Moderation — AI content moderation and CSAM detection
• Reality Defender — Deepfake and AI-generated content detection
• Sensity AI — Deepfake detection and synthetic media analysis

Archiving & Snapshots

• ArchiveBox — Self-hosted web archiving; captures HTML, PDF, screenshots, media
• archive.today — One‑page content archiver with screenshot capability
• Hunchly — Evidence capture tool for investigators (paid)
• Kasm Workspaces — Containerized OSINT workspace images (browser isolation)
• SingleFileZ — Browser extension for offline single-file HTML archives
• URLScan.io — On‑demand webpage scan with full resource map and screenshot

Automation

Workflows and schedulers

• Apache Airflow — Workflow orchestration for complex data pipelines
• Cronicle — Distributed task scheduler for recurring OSINT jobs
• Huginn — Agent-based automation for monitoring, scraping, alerting
• n8n — Self-hosted workflow automation for OSINT pipelines (e.g., monitor RSS → scrape → alert)
• Prefect — Modern workflow orchestration; easier than Airflow

Headless browsing and crawling

• Browsertrix Crawler — Archival crawling with WARC export
• Playwright — Headless browser automation with stealth plugins

Additional Tools

IP and Network Analysis

• BinaryEdge, FOFA, ZoomEye: Infra pivots complementing Shodan/Censys
• Robtex — Passive DNS and infrastructure pivots
• Spur — IP lookups and tracking

ASN/BGP & Internet Measurement

• bgp.tools — Clean ASN/IX views, routing details [Free]
• BGPView — ASN and prefix explorer
• Hurricane Electric BGP Toolkit — ASN, prefix, peers, and IRR data
• PeeringDB — Facility and peering info for networks
• RADb, RIPE IRR: Routing policy and contacts
• RIPEstat — IP/ASN history, routing, geolocation, abuse contacts
• RPKI Validators — Route origin and ROA status checks

Certificates & CT Monitoring

• Censys Certificates — CT and x509 attribute pivots
• Cert Spotter — CT monitoring and alerts [Freemium]
• CertStream — Real‑time CT feed (via WebSocket)
• crt.sh — Search Certificate Transparency logs
• Favicons/mmh3 — Hash favicons to cluster infra; pair with Shodan/Censys favicon search
• Let’s Debug — Diagnose certificate issuance issues [Free]
• Rapid7 Open Data — Sonar datasets (DNS/HTTP/SSL)

Social Media Intelligence

• Discord ID — Basic Discord account information
• TelegramDB Search Bot — Basic Telegram OSINT
• TGStat — Channel statistics and message search

Telegram & Messaging Analytics

• Combot — Group analytics (partially paid)
• WeChat OA search via Sogou Weixin: Search WeChat Official Accounts content
• Telemetr — Channel growth, overlaps, forwards
• TGStat — See: Additional Tools → Telegram & Messaging Analytics.
• **[t.me/s/](https://t.me)** — Public channel feed view (replace with channel name)

Infrastructure & Attack‑Surface OSINT

• Amass / Subfinder [Free]: Passive subdomain discovery (use responsibly)
• BuiltWith — Tech stack enumeration; useful for pivoting to third‑party assets
• Censys — Enumerate hosts and digital certificates across the internet
• GreyNoise — Distinguish background internet noise from targeted scans
• Netlas — Large‑scale HTTP/DNS/certificates pivots
• Recon‑ng — Web‑based recon framework
• RiskIQ PassiveTotal — Passive DNS/cert/host pivots
• SecurityTrails — Passive DNS records and asset discovery
• Shodan — Search engine for internet‑connected devices and services
• SpiderFoot — Automated OSINT reconnaissance and correlation (self‑host or SaaS)
• theHarvester — Subdomain, email, and metadata harvesting

Threat Intel & IOCs

• abuse.ch ThreatFox, URLHaus, SSLBL
• Malpedia — Malware families, YARA, references
• MalwareBazaar — Sample sharing (hash‑based queries)
• MISP Project and public MISP feeds
• OpenCTI — Knowledge graph for CTI (self‑host or SaaS)
• PhishTank, OpenPhish
• Vendor & CERT advisories: CISA/NSA/CSA joint advisories, CERT‑EU, NCSC‑UK, JPCERT/CC, CERT‑UA

Malware Analysis & Sandboxes

• Sandboxes: ANY.RUN, Hybrid Analysis, CAPE, Tria.ge
• Intelligence: Intezer (code reuse), VirusTotal (be cautious—uploads become public)
• TLS Fingerprints: JA3, JA4
• Static: pefile, FLOSS, capa
• Similarity: SSDEEP, TLSH
• YARA: yara, community rules via Malpedia/GitHub repos

RU/CN Corporate & Registries

• China: GSXT (National Enterprise Credit Info), Qichacha / Tianyancha (freemium), MIIT ICP/Beian (ICP filings)
• Russia: EGRUL/EGRIP (official registries, captcha‑gated), Rusprofile, Kontur.Focus (freemium), zakupki.gov.ru (procurement)
• Russia media/social: VK, OK.ru, Rutube
• China platforms: Weibo, Bilibili, Zhihu, Douyin

Regional Search Engines

• China: Baidu, Sogou, 360 Search
• Russia/CIS: Yandex, Mail.ru Search

Sanctions & Compliance

• EU Sanctions Map
• OCCRP Aleph — Investigative documents, leaks, company records
• OFAC SDN List
• OpenSanctions — Aggregated persons/entities datasets
• UK Sanctions List (OFSI)

Changelog

• 2026-02-10: Restructured into executive summary, governance, playbooks, OPSEC/evidence handling, and normalized tool formatting.