Most analysts doing dark web OSINT are still doing it manually.

the methodology hasn't changed, you start with a query, fan out across search engines, scrape relevant pages, extract indicators, map relationships, enrich against threat intel feeds, and write a report. every investigation, same steps, same grind.

the problem isn't the methodology. it's that doing it manually takes hours, misses sources, and depends on the analyst knowing where to look.

Tor search engines go down. paste sites get ignored. GitHub has leaked C2 configs that never make it into manual investigations. certificate transparency logs reveal subdomain infrastructure that nobody checks. breach databases have context on the email addresses you're looking at.

VoidAccess runs all of it in one pipeline. Tor, paste sites, GitHub, GitLab, 20 security RSS feeds, passive DNS, cert transparency, sandbox analysis, parallel, automated, in under 3 minutes.

the methodology is still yours. the grunt work isn't.

github.com/KatrielMoses/voidaccess

Medium: https://medium.com/@katriel.moses/i-ran-a-dark-web-osint-investigation-on-ransomhub-heres-what-came-back-in-3-minutes-68534d148a87

A good investigator usually utilizes or develops good tools.

Great investigators find balance between creating tools, finding and exploiting pivots, and establishing networks.

Tools can help you answer a lot of questions. They can provide ways to find and exploit those pivots we should love very much

But what I find separates the average investigator from the best are the networks the best established.

Here's what I mean:

1. Are you on good and professional terms with other investigators? Do you get sought out for your expertise from them? Do you solicit them for help? Are you a member of any investigative communities?

2. Are you friendly with gateway keepers? Secretaries, receptionists, software developers, etc. I have the honor of being a very early beta tester for a very commonly used software utilized in investigations, solely because I picked up the phone and called the developer and vibes with him for a few hours.

3. Are you willing to give and receive feedback on your cases from not just fellow investigators but even lay people who may be OSINT adjacent?

4. Have you established any contacts with any of the major platforms or data providers you utilize?

5. How many contacts have established in the area your targets typically live in, go to school at, or travel to?

In this list are an amazing number of ways to get further in your investigations and achieve one-of-a-kind results, if you remember and capitalize on one final piece of advice from Sun Tzu - "What enables the wise sovereign and the good general to strike and conquer, and achieve things beyond the reach of ordinary men, is foreknowledge. This foreknowledge cannot be elicited from spirits; it cannot be obtained inductively from experience, nor by any deductive calculation. Knowledge of the enemy's dispositions can only be obtained from other men."

free open-source security scanner that runs fully local via Ollama without API keys

point it at a domain and you can get a ranked report with OWASP Top 10 findings, CVSS scores, and clear remediation steps

https://infosecwriteups.com/i-am-17-i-built-a-free-security-scanner-because-the-industry-left-small-businesses-behind-54892cf2dc6a

only scan what you own or have written auth to test

I've been experimenting with a knowledge-graph platform that links people, photos, social profiles, locations, events, and family relationships.

One feature uses face clustering to group photos by person and connect them to a broader relationship graph.

The long-term goal is to help users understand extended family networks, migration paths, and social connections through visual graph analysis.

I'm interested in feedback from OSINT practitioners:

• What graph-analysis features do you find most useful?
• How do you handle confidence scoring for inferred relationships?
• What are the biggest challenges when visualizing large relationship networks? https://github.com/rajeshmn47/valantir

Hello everyone,

I am wondering how osint tools work i know they have baseline kf breached data and public data but if someone can give me overview.

Thanks

I'm new to OSINT, I decided to start with Kali on a VM and as a first tool I wanted to try Osintgram.

I knew that as an Italian it would give me errors so I installed a VPN both inside and outside the VM but it continues to give me error 400 (block_eu_user), how can I fix it?

Saw "Cyber Detective" aka @cybdetective post about this tool called Kronikier. Seems like something you should add to your kit.

According to the repo, it is an "OSINT tool that mines historical contacts (email, phone numbers) for a domain out of web.archive.org snapshots. Built for investigations where the current site no longer shows contact details (or shows different ones) but earlier versions are preserved in the archive."

https://github.com/soxoj/kronikier

Hi, I'm new to the Osint field and after watching some tutorials I decided to start with Osintgram but it gives me this error, Can anyone tell me what the problem is and how to solve it?

PS: I'm from Kali Linux.

Hey OSINT Community,
I’m a business student and parttime osint enthusiast, but I also help moderate a community where we have to constantly screen for bad actors, trolls, and creeps. Lately, a massive headache has been users setting their Reddit profiles to "hidden," making it tedious to quickly check their history for red flags.

Even when a profile is set to "hidden," their posts and comments in public subreddits are still out there. Because I don't have a formal coding background, I spent a lot of time figuring out how to stitch a solution together to speed up my own moderation workflow.

I ended up putting it into a free Chrome extension:Profile Unhider.

it doesnt need any signups or store any data, its purely logic based. sharing it here since i found it useful & thought y'all feel the same

Hello divas ,

I Need an osint tool which doesn't require coding or payments and can figure out someone's online presence, using their e-mail or phone number. I also have info like Twitter account handle , fb account, insta id , yt account, alternate emails etc etc . Just need an in depth tool to research more on an individual if required.

Thanks 😘

I’m mainly interested in checking where my own usernames, emails, domains, old accounts and whatnot show up online, then organizing the results into something easy to track (and delete after preferably, accounts and data I mean). I have some basic skills in programming and scripting with python and I've done some simple scrappers before nothing like this though, I'd appreciate any input on this.

Please fill this form https://forms.gle/T8nSq5M7srt3Z42H9

Built an OSINT tool that maps the actual connections between someone's profiles — not just if they exist.

Helix extracts bio links and draws them as edges in a live D3.js graph. Find a GitHub → it checks the bio for Twitter, LinkedIn, website links automatically.

70+ platforms · WAF bypass · Sherlock integration

🌟 github.com/thalha-a9/helix

#osint #bugbounty #infosec #python

I’d be interested to know which tool you’ve used in the past that was so bad you stopped using it. Was it a bad update, the user interface, an ugly design, missing features, or something else? Did it get that bad after an update, or did you just try it out once? I’d appreciate your feedback so we can learn from it and improve in the future. Best regards

Tribe absolutely kills it here.

This ain't Gotham and we're not the Justice League, Batman.

lowkeystalker is a browser extension that silently intercepts Tinder's internal API traffic, surfaces full profile data in a sleek overlay, and auto-archives everything — JSON and photos — straight to your local machine.

Hey everyone,

I'm a cybersecurity student who did internships in OSINT and web pentesting. I'm researching how security professionals actually do investigations day-to-day — specifically the painful, repetitive parts that eat up your time.

I put together a short survey (4 minutes, completely anonymous). No email required, no sales pitch at the end. I'm genuinely trying to understand the workflow before building anything.

Would really appreciate honest answers — especially from people who do this regularly.

https://forms.gle/T8nSq5M7srt3Z42H9

Happy to share the findings with the community once I have enough responses. Thanks in advance.

I have a really important court day coming up and I have to build a connection between some people it's over a termination of parental rights I'm getting bullied and railroaded because they are friends and I've seen it but when i said something there profile went private before i could screen shot it If I could only get on their profiles and take screenshots I could prove everything I've been saying but nobody will listen to me because they are court officals but its been over a year now and if i dont get it im going to lose my babies If anybody knows how it would be greatly appreciated thank you

I’ve been testing a few AI-assisted image geolocation tools lately, and my biggest takeaway is that they’re useful, but only if you treat them as lead generators.

They can be surprisingly good at narrowing down a country, region, city, or possible street-level area from visual clues like road markings, signs, architecture, vegetation, storefronts, mountains, sidewalks, or utility poles.

But the dangerous part is confidence.

A polished map pin, clean reasoning box, or nice PDF report can make a weak guess feel stronger than it actually is. That matters in OSINT because a wrong location that looks convincing can do real damage.

The best use case I’ve found is:

1. Use the tool to generate candidates
2. Extract the visual clues it noticed
3. Check those clues manually
4. Compare with Street View / satellite / local sources
5. Look for contradictions
6. Only then treat it as useful

The tools should get better at saying “not enough signal” instead of always trying to force a location.

Personally, I think the future of this space is not just “guess where this image was taken.” It’s image verification: location candidates, evidence, confidence, contradictions, source-backed context, and audit trails.

Curious how others here are using AI geolocation tools. Are they actually helping your workflow, or mostly producing noise?

KeyHog is a fast OSS secret scanner written in Rust with GPU acceleration.

https://github.com/santhsecurity/keyhog

It scans source trees, git history, staged changes, Docker images, S3 buckets, GitHub orgs, stdin, and local filesystems for leaked credentials.

It has 891 service-specific detectors. AWS, Azure, GCP, Cloudflare, Stripe, GitHub, GitLab, npm, Slack, Discord, Twilio, OpenAI, Anthropic, HuggingFace, Postgres URLs, MongoDB URLs, Redis URLs, private keys, JWT secrets, and generic high-entropy credentials.

It uses Hyperscan on CPU and has a GPU backend for accelerated scanning.

It scans decoded content. Base64 blobs, Kubernetes Secrets, Docker auth blobs, JWT payloads, Helm values, and encoded env files are decoded before matching.

It handles split secrets. JS string concatenation, YAML multiline strings, Makefile continuations, and templated config are reassembled before scanning.

It uses validation where plain pattern matching gets noisy. Some detectors check companion fields, checksums, entropy, nearby context, or known token structure before reporting.

Each finding gets a confidence score. You can raise or lower the reporting threshold without ripping out detectors.

Daemon mode keeps pre-commit and editor scans fast by avoiding repeated detector startup cost.

Install:

cargo install keyhog

Common commands:

keyhog scan .
keyhog scan --git-history .
keyhog scan --git-staged
keyhog scan --docker-image registry/app:v1
keyhog scan . --format sarif -o keyhog.sarif
keyhog hook install

CI/baseline commands:

keyhog scan . --baseline .keyhog-baseline.json
keyhog diff before.json after.json

Lockdown mode is for scanning machines that may already contain live credentials. It avoids printing plaintext secrets, refuses cache writes, disables live verification, and applies process hardening where supported.

Most people check HIBP, see a list of breach names, and stop there. HIBP doesn't tell you whether a breach hit is a historical database dump or live credentials captured from an infected machine. That distinction matters a lot. Ran MailAccess on [john_doe@example.com](mailto:john_doe@example.com), a placeholder email that's accumulated real data. Results: - Naz.API stealer log hit (71M credentials, captured live from infected machines, not a cracked hash) - Verifications.io (762M records, name, phone, employer, physical address, no cracking needed) - LinkedIn, Promo breaches confirmed across two independent sources - 170 confirmed platform accounts - Real name recovered from GitHub commit history Wrote up the full investigation and what the pivot looks like when you find a stealer hit:
https://medium.com/@katriel.moses/your-email-is-in-a-breach-database-mailaccess-shows-what-hibp-wont-6f1aa53cd0fa

pip install mailaccess, runs in 30 seconds, no API keys needed for any of the above.

I put together a tool to check the mutual followers between two or more Instagram accounts. It works for both public accounts and private accounts, provided you currently follow the private ones

It runs on a locally so you need to download it and run it from terminal (not too hard)

https://github.com/OscarFromNZ/InstagramMutualFollowerChecker

Thanks! This is a very early version, I'd really appreciate honest feedback if anybody wants to set it up (it's real quick) and try it out themselves