In this article I'm going to discuss getting down and dirty with some OSINT and digital profiling. So we have all heard of OSINT but what about digital profiling?

What is digital profiling?

Digital profiling is the process of gathering and analysing information about an individual that exists online. Oftentimes, it is used in marketing and I've seen more examples of it coming up during the recruitment process, whereby individuals have been rejected or passed over on positions due to an opinion or post they wrote in the past.  It can be used in a variety of ways, so if your interested in learning more check out this post:

Why Profile?

We may wish to profile an individual in order to help with a more targeted attack - for example, spearphishing,or we might just want to learn more about the persons daily habits - do they visit a coffee shop on specific day and time, do they connect to the wifi at said coffee shop - would there be an opportunity to snaffle their laptop if left unattended?  Could we clone their RFID door swipe card? Could we shoulder surf them and catch their username and password?

Whilst it all sounds a bit 007, you often need to think in this manner and put your ethics aside. When carrying out digital profiling you're going to be trawling through peoples personal social media profiles, posts and pictures looking for that one small detail that might help you. As the title suggests your profiling them hoping to find the clues that will lead you to the answer your looking for.

Another reason for profiling is to help you with password enumeration. Many users will use their spouses or children's names as their password's - it's an easy to remember name and appending a year or date of birth will often meet password policies set in many corporate environments. In recent phishing engagements I've encountered many children's names with a date of birth appended to the end.


The crux of the post is really to help you understand the methodology to get you started and what to look for on your search. Sure, everyone says Google and Facebook will get you everything you need and sure that still holds true, however without a solid methodology you may end up spinning like the hamster in his wheel.

So we have the CEO or other high ranking person we want to attack. Where do we start?

  • First off lets head to the company website to see if we can obtain a email address, location and bio of person of interest.  We will want to cross reference that with what we find on LinkedIn.
  • LinkedIn - You'll really want to have a profile setup that isn't your own otherwise you will give the game away.  Get yourself a new identity and fake profile picture - If your targeting a person who works for a global or large organisation, chance your luck and pretend to work for them on your profile, that way it becomes slightly more convincing when you try to connect with them.
  • Facebook - Again, you will want to have a profile which is not your own personal account. Typically I will keep the same fake identity going over multiple sites, so LinkedIn, Facebook, Twitter, Instagram etc. Look at each of these social media platforms in turn   to check if your target has a presence. Understand their interests, hobbies, social life and then try to correlate that with your end goal.

A tool that recently came back online is Intel Techniques By Michael Bazzell, which accompanies his book - Open Source Intelligence Techniques, 9th Edition. Be sure to take a look here:

When trawling social media, don't just look at your targets profile, check their wife's/husband's profile, their children's profile, profiles of friends and family.  Sometimes a person may not be so verbose as you expect them to be whilst others are overly verbose and share far too much information.

What should I be looking for?

  • Pictures !! "A picture is worth a thousand words" so the saying goes and when it comes to examining photos and images you can reap the rewards quite quickly.
  • Look for locations where they have been tagged in, or businesses that they like or locations where they checked in - this can be especially helpful when your trying to narrow down the location of where they stay.
  • Leaked phones numbers or profiles which again are possibly overly verbose - I've seen this numerous times where people have left their profiles open to the public and I've been able to get their full date of birth.

Real World Engagement Example:

As part of a social profiling exercise, I was tasked with trying to identify a high ranking member of a global company who resided here in the UK.  Without giving away the specific's I was able to obtain the persons home address, including a floor plan of their house and establish a future four week timeline of their activities.

  • Facebook tags and likes of local businesses from the targets spouse provided an approximate district/borough within a city.  Facebook also provided me with the target children's name and their profiles.
  • Google dorking using the targets children's names (which were quite unique) landed me on a schools website which highlighted a child's recent achievements in a blog post. Cross referenced the school's name with an image from Facebook which had the same school crest. A review of schools location on Google maps gave me a more focused location within the district/borough I had previously established. Based on the theory that the children would probably walk to school, I figured they would stay within the surrounding area.
  • Returned to Facebook and revisited posts of family and friends which included a recent picture of the targets oldest child which had some distinctive features in the background of the images. The foreground also had a very expensive looking car with a distinct number plate.  Further researching via more dorking found the car was from a chauffeur company within the area. Again, this helped to confirm that I was searching in the right place.
  • Further review of family and friends led me to a business name under the name of one of the targets friends.  Using this I was able to search the records from Companies House:

You can get some details about a company for free, such as company information, registered address, date of incorporation, current and resigned officers, document images, previous company names and insolvency information.

  • Low and behold, the target had previously been listed as an officer at their friends business - companies houses information included their home address - JACKPOT!!

I quickly used Google maps street view and using background images from previous images I was able to verify the location as being correct, due to the distinctive features of houses in the background.  Next stop was to get a layout of the house, inserting the address on property website  showed me the last time the house was sold and also included a pdf brochure of layout. Cross referenced some of the pictures from the targets FB profile with images taken from when the house was up for sale and I knew I was at the right address.


Digging through profiles of people you don't know can feel pretty dirty however you can counter this argument that they should be more aware of their online presence and the information that they are sharing.  If I can find this information, then so can a criminal enterprise. I'm certainly no organised crime gang, but if I were this is the sort of processes they would use to target an individual, follow their movements and daily routine and use this information as a ways and means to leverage their partners/spouse/children to compromise a target.

Photo by Sebastian Herrmann on Unsplash