Ethical Hacking Tutorials

9 Best Tools For Social Media OSINT

Find out almost anything about anyone using advanced social media OSINT (Open Source Intelligence). These nine Social Media OSINT tools are crucial for any OSINT investigation.

Read this bit first

๐Ÿ‘‰ I stronglyย condemn any illegal use of this material as is outlined in my legal disclaimer. There are plenty of responsible applications for this content, and it is here to inform ethical hackers, penetration testers, and anyone who is intrigued as to how systems are compromised. Remember the golden rule and THINK before you type. ๐Ÿ‘ˆ

What you will learn

The first stage to launching any successful cyberattack is to perform intense research into your target: finding out who they are, where they are located, who they know, and a plethora of other information. Enter OSINT, or Open-Source Intelligence gathering for short.

In this pursuit, we scan the entire internet for any scent of our target’s presence, like a tiger sniffing out its prey. From Amazon wishlists (I will cover this in another guide, subscribe to my newsletter to be notified when it drops) to Linkedin connections, the process of thoroughly gathering open-source intelligence is as intense as it is invasive.ย 

In this guide, we will look at my top ten tools for scanning social media channels for valuable open-source intelligence. Whilst some of these tools will involve using Kali Linux (the most widely used platform which hackers use daily), almost anyone can use most of the tools that we will cover in this guide.ย 

I would also like to disclose that not every item on my list is a ‘tool’, and some of the items are instead purely a technique to work within the parameters of social networks to extract useful information, such as Google Dorking.

And as a sidenote, if you are serious about leveling up your OSINT game, I recommend reading the definitive textbook on the subject: Open Source Intelligence by Michael Bazzel.

We will start by exploring the fundamental basics of OSINT before moving on to my top tools for social media OSINT.ย 

What is open-source intelligence gathering

In the Cold War, most intelligence gathering was done by trained intelligence officers who would seek out persons of interest, run them as agents, and bring the intelligence back to C (control) for the analysts to make sense of. In 2024, whilst this form of intelligence is still vital to the national security of any ‘grown-up’ nation state, the role of Open-Source Intelligence has proven to be just as invaluable.

You don’t need to be a spook (meaning spy, in the business) to practice OSINT, and this process is part of the ongoing democratisation of intelligence gathering.

OSINT refers to the practice of collecting and analysing publicly available data from a wide range of sources to produce actionable intelligence. Unlike traditional intelligence gathering methods such as Signals Intelligence (SIGINT) or Human Intelligence (HUMINT), which often rely on classified or confidential information, OSINT leverages openly accessible data from the internet, social media, public records, and other sources.

The beauty of OSINT lies in its accessibility and versatility. With the proliferation of digital platforms and the internet’s widespread adoption, a vast amount of information is generated and shared by individuals, organisations, and governments on a daily basis. This data encompasses a diverse array of sources, including news articles, blog posts, social media updates, satellite imagery, public databases, and more. By harnessing this wealth of openly available information, OSINT practitioners can uncover valuable insights, identify patterns, and piece together comprehensive intelligence reports.

There are two types of OSINT: Active OSINT, and Passive OSINT. It’s important to know when to use each.

Passive OSINT

Unlike active OSINT, which involves direct interaction or engagement with online sources, passive OSINT focuses on the systematic monitoring and analysis of publicly available information without direct interaction. This can include but is not limited to, social media platforms, news websites, forums, blogs, public databases, and websites. By leveraging automated tools, algorithms, and search techniques, passive OSINT practitioners can sift through vast amounts of data to identify relevant information, trends, and patterns.

Active OSINT

Active Open-Source Intelligence (OSINT) represents a proactive approach to intelligence gathering, involving direct engagement with online sources and communities to gather information, insights, and intelligence. Unlike passive OSINT, which focuses on the observation and analysis of publicly available data, active OSINT entails interacting with online platforms, individuals, and communities to elicit information and generate intelligence.

Active OSINT encompasses a variety of techniques and methodologies aimed at engaging with online sources in a deliberate and strategic manner. This can include but is not limited to, conducting interviews, surveys, and polls, participating in online forums and communities, interacting with social media users, and leveraging targeted search queries to uncover specific information.

If you need an experienced OSINT investigator to launch an investigation of your choosing, you should contact me and I will respond to you within one working day.

1) Search Engine Dorking

Search Engine Dorking, often referred to simply as “Google dorking,” is a technique used to refine search engine queries to uncover specific types of information that may not be readily accessible through conventional search methods. This method involves using advanced search operators and specific search strings to narrow down search results and pinpoint desired information.

Most people outside the security community don’t know about this, but there are several ‘dorking’ commands that can be used to extract social media information about a target that isn’t explicitly. For example, if I type in {target’s name} and filetype:pdf, it will return every PDF in Google’s database that contains the target’s name.

Let’s look at the most common dorking techniques to uncover information about our target.ย 

Dorking tip one: inUrl Searches

Using the “inurl” operator to search for specific keywords within the URL of web pages, which can help uncover pages containing relevant information. The above search (pictured) will scan a specific website for your target’s name.ย 

Dorking tip Two: Filetype searches

Using the “filetype” operator to search for specific file types, such as PDFs, spreadsheets, or Word documents, which may contain sensitive information.


Dorking tip Three: Wildcard searches

For example, if you’re searching for variations of a name where you’re unsure of the middle initial or full middle name, you could use a wildcard like “John * Doe” to capture results for “John A. Doe”, “John B. Doe”, “John C. Doe”, etc.

Dorking tip Four: Range operatives

For example, if you’re searching for variations of a name where you’re unsure of the middle initial or full middle name, you could use a wildcard like “John * Doe” to capture results for “John A. Doe”, “John B. Doe”, “John C. Doe”, etc. You can use this to search for results within a specific date range by specifying a start date and and end date.

I hope that the above examples arm you with the tools you need to scan your target’s social media feeds. Remember, posts on social media sites are frequently indexed on search engines, regardless of their privacy settings and/or if they have blocked your account.

Now, the above tips are just scratching the surface. I will now introduce an exact technique that I used in a client’s (ethical and legal) OSINT campaign. You can contact me here if you would like me to run an OSINT investigation for you. I wanted to find a list of people who posted @ my target, instead of posts that my target made. This allowed me to establish who had a close personal relationship with my target (otherwise, why would they tag them in a post?). So I used the following: “@target’sname”. The use of “” ensured that Google only searched for my target’s usertag, and the use of ensured that the only website being queried was Instagram. I received over 100 results from the past 5 years, allowing me to build a detailed picture of the target’s network over time, and allowing me, through a process of reasoning, establish who they knew and when. I then went through a process of inductive reasoning (more on this later, subscribe to my newsletter to read the guide when it drops) to establish if they fell out with anyone in their network, and why.

2) Instalooter(Kali Linux)

Instalooter is a Python-based tool used for downloading public posts and stories from Instagram. It allows users to retrieve images, videos, and metadata associated with Instagram accounts, hashtags, or locations. There are alternatives to Instalooter called Instaloader, Toutatis, and Osintgram.

Whilst you don’t necessarily need to have Kali Linux installed (any Debian-based Linux distro is preferable and some users even run it on Windows and MacOS), I recommend using Kali as it comes equipped with complimentary tools for further OSINT investigations, alongside, of course, all the hacking tools we need to compromise our target.

To install Instalooter, you can use the following command:ย 

					pip install instalooter

Unlike some other Instagram scraping tools, Instalooter does not require authentication (in other words, you don’t need to log in to use this tool) using an Instagram account. It works by directly accessing the public data available on Instagram. This allows for passive OSINT gathering as we are leaving little trace of our activity.ย 

Once installed, users can run Instalooter from the command line with various options and parameters. For example, to download all posts from a specific user, you would run a command like the one listed below. Click ‘copy’ to try it for yourself!

					instalooter user <username> <download_directory>

3) Tracking followers and unfollowers

This next tip will require that you log in to Instagram on a search browser, and it assumes that you are an approved follower of your target (some accounts are in private mode).ย 

Once authenticated, navigate to your target’s profile and click on following, or followers. Upon doing so, a list of all the Instagram users that the target has a relationship with will be shown. Click control + A, or command + A after you have dragged over every user on the list. Right click, and click on copy selected text.ย 

After this is done, paste the data into a spreadsheet. Every week (or a frequency of your choosing), you can repeat this process and paste the results into a new spreadsheet tab. Finally, by writing custom formulas, you can monitor the change over time.

This one can be a little bit tricky to master. If you want me to show you the ropes or even do it for you, drop me a message by submitting this form or emailing

I monitor the Instagram accounts of my client’s targets over time, and prepare reports on who followed who, and when. And, by following a process of inductive reasoning, we can assess why these two parties follow each other (for example, are they both attending the same University? Or are they at the early stages of a romance?). Again, drop me a line if you want to work with me on this.

4) Maltego for extracting information on all social platforms (Kali Linux)

Maltego is a powerful data visualisation and link analysis tool that is widely used for gathering information and conducting investigations. While Maltego itself does not directly extract information from social media platforms, it can be integrated with various data sources and transforms to gather data from multiple sources, including social media platforms.

If Maltego is not already installed on your Kali Linux system, you can download and install it from the official Maltego website or through the Kali Linux repositories.

The following steps, as you can see, are very basic. I will produce a full Maltego demonstration in due course. Read on to learn a high-level overview on how to use this powerful OSINT suite for your social media OSINT.

This image is from the official Maltego website and it shows a map of the accounts and social media accounts that a target possesses. I find Maltego incredibly useful and utilise its powerful features every day.

Create a 'transform'

Maltego uses transforms to gather data from different sources. While some transforms are built into the tool, others can be obtained through commercial licenses or by developing custom transforms. Look for transforms specifically designed to gather data from social media platforms.

Configure Maltego to use the transforms relevant to the social media platforms you want to extract information from. This may involve providing API keys, authentication tokens, or other credentials depending on the platform’s requirements.


Create entities

In Maltego, entities represent different types of data such as people, organisations, websites, and social media accounts. Create entities for the targets or subjects you want to investigate, including their social media profiles if applicable.

Run Transforms and visualise the results

Once entities are created, run the appropriate transforms to gather information from social media platforms. These transforms may retrieve data such as profile information, posts, connections, and interactions

Maltego’s strength lies in its ability to visualise and analyse data in a graphical format. As information is gathered from social media platforms, it will be displayed graphically, allowing you to see connections and relationships between different entities.

5) Social Bearing for Twitter analysis

SocialBearing Twitter OSINT Tool.
Social Bearing Dashboard For Twitter OSINT. Source: Social Bearing's Official Website

If you are looking for a suite to analyse your target’s Twitter profile, look no further than social bearing. This tool leverages the Twitter API for OSINT purposes, and it can provide a wealth of information on our target, including:


Social Bearing is a powerful tool for analysing Twitter accounts. Its dashboard provides a graphical user interface (a GUI), however you may find the CSV file more useful. This can be changed to an Excel or Libre Office spreadsheet, and formulas can be applied to help you make sense of the data.

Another useful “All in one” Twitter OSINT tool that I use on a weekly basis would be Twitonomy. This tool offers perhaps the most complete Twitter analytics service, and a search of a single user can reveal:

  • How many tweets a user has posted;
  • How many people the user is following, and how many followers the target has;
  • The date that the user joined Twitter;
  • The average number of tweets that the user posts each day;
  • The number of Twitter users that the target has mentioned in their tweets;
  • How many posts the user replies to that he/she/they are tagged in;
  • Finally, how many retweets the user has.

Twitonomy, another useful Twitter/X OSINT tool

Another useful “All in one” Twitter OSINT tool that I use on a weekly basis would be Twitonomy. This tool offers perhaps the most complete Twitter analytics service, and a search of a single user can reveal:

  • How many tweets a user has posted;
  • How many people the user is following, and how many followers the target has;
  • The date that the user joined Twitter;
  • The average number of tweets that the user posts each day;
  • The number of Twitter users that the target has mentioned in their tweets;
  • How many posts the user replies to that he/she/they are tagged in;
  • Finally, how many retweets the user has.

Twitonomy has many more useful features, but for the time being, I have outlined the fundamentals.ย 

6) Finding someone's GPS location using Twitter

If you think the headline is alarming, that’s because it is. Privacy-conscious Twitter Users will often block access to location sharing, and I encourage you to do the same. You can learn how to do this by clicking here.

Prior to 2014, tracking someone’s GPS location on Twitter was relatively easy. Twitter realised the dangers of this and it has become considerably harder – although not impossible – to track someone using the platform. There are some useful tools that can still assist with this pursuit, that I have listed below.

Note that these tools are often dependent on the target’s privacy settings.


Omnisci is a Twitter OSINT tool that was created through a collaboration between MIT and Harvard. It allows you to search by topic, username, and location. Most importantly, you can combine some of these variables to create extremely detailed and precise searches.ย 

For instance, you could match a target’s username and location and analyse the corresponding results. If the user often tweets from their house, therein lies an opportunity to find the coordinates of their home address.

One million tweet map

One Million Tweet Map is a tool that displays the most recent one million tweets on an international map. Whilst I would not recommend relying on this tool in isolation, when combined with other Twitter OSINT tools, it can provide some useful information.

It is recommended to scroll over an area of interest, and use it to identify tweets from your target, or someone in the network of your target, to ascertain their location.

7) Pimeyes: a tool to discover hidden social media accounts

Looking for a solution to stop catfishing? A reverse image search could be your best friend.

Pimeyes is an incredibly powerful tool that can be used to identify websites and accounts containing images of our target. In my view, it is more powerful than a standard Google Image Search.

To use Pimeyes, all you need to do is add an image of your target. The software will begin scanning the internet for images that contain ‘lookalikes’ of the target, in the hope of finding more images of the target.

This can be incredibly useful if your target has hidden profiles, however keep in mind that the tool does not scrape data from every social networking site, or even every website. Furthermore, it inevitably produces a significant number of false-positives.

I should also note that this tool will generate a significant number of NSFW images (yet legal images, I should add. I would not recommend this tool otherwise, obviously) and viewer discretion is strongly advised.ย 

Pimeyes alternatives

There are a number of alternative tools to Pimeyes that perform the same function. I recommend using multiple tools, as if Pimeyes cannot find any results, an alternative tool might attain better results. Alternative tools include Tineye, Social Catfish, Pixsy, and the image lookup features of search engines such as Google and Yandex.

8) Uncover a target's email address using Linkedin

Finding a target’s LinkedIn profile can be literal gold dust, as you can easily extract sensitive contact information such as their email address from their profile. Using this email address, you can then lookup other accounts owned by the target, such as Facebook and Instagram accounts. And this is yet another reason why I encourage all my clients to use multiple email addresses, as I argued in this article that you can read by clicking here.ย 

Astonishingly, in my view, Linkedin allows users to download a list of all their connections as a CSV file. Complete the following steps to find personally identifiable information (PII) of your target using LinkedIn.

Navigate to 'Data Privacy' on your LinkedIn dashboard

To download a list of all your connections, go to your Linkedin Dashboard and under your profile, click on ‘settings and privacy’ from the dropdown.

Upon doing so, you will see a menu on the left side of your screen. Click on ‘get a copy of your data’.ย 

After you reach this page, proceed to he next step.

Export your data


Now that you have navigated to the correct place, you can see a list of downloadable items from the LinkedIn Dashboard. Click on everything that you would like to download.ย 

In particular the ‘connections’ item is of the most use. After making your selection, please click on ‘request archive’.

You will be emailed a list of useful information about all your connections, assuming that you are connected with your target on LinkedIn.

9) Tools for analysing Reddit (Kali Linux)

I find Reddit to be a particularly useful tool for OSINT. People don’t normally use their real names (and are not encouraged to use their real names) on this platform and instead go by an alias.ย 

When one is given anonymity and privacy, they become more cavalier regarding their online activity. They may post about things they would never discuss on any other social media site, respond to comments, and subscribe to feeds that cover their interests and hobbies that you otherwise may not have known about.ย 

This allows you to build up a detailed picture of your target, analysing more information that you otherwise would not have had if you relied solely on Instagram, Facebook, and Twitter alone.

I have provided a high-level overview of a few Reddit tools I have previously used, and in the future I will create a complete Reddit OSINT guide. For now, I will introduce how you can download and analyse useful Reddit information on any Linux-based distribution.

Downloading Reddit OSINT tools

OSINT Maestro Michael Bazzel recommends the following tools for Reddit analysis, which can be downloaded and installed on any Debian-based Linux distribution. The following series of terminal commands will allow you to install each of these tools, and I should note that it was taken from his OSINT book, which you can purchase on Amazon.

					sudo apt install python3.9
sudo -H python3.9 -m pip install bdfr -I
sudo -H pip install redditsfinder -I
cd ~/Downloads/Programs
git clone
cd DownloaderForReddit
sudo -H pip install -r requirements.txt -I

Bulk Downloader For Reddit

Bulk Downloader for Reddit is a Python-based OSINT tool focused on Reddit. This Python Program (v 3.9) allows you to retrieve up to 1,000 posts within a subreddit of your choice, or you can retrieve all the posts by a specific user within a specific subreddit. You can then download this data, and analyse it.

Reddit Finder OSINT tool

The Reddit Finder OSINT tool allows you to retrieve current, and deleted, Reddit post metadata attached to a given user’s account. As you can imagine, this can be incredibly useful.ย 

Downloader For Reddit

Downloader for Reddit is a graphical program (GUI) that allows you to download databases of users and subreddits.ย 

Wrapping it all up

Social Media has become the perfect outlet for a society focused on Instagram Likes and Tinder Swipes and any OSINT intelligence operative can weaponise our target’s vanity for our investigations.ย 

Leveraging Open-Source Intelligence (OSINT) techniques for gathering information from social media platforms can be a valuable asset for various purposes, including investigations, research, threat assessment, and decision-making. Throughout this guide, we have explored a range of methods and tools for extracting insights from social media data, including manual techniques, automated scripts, and specialised software such as Maltego.

By combining passive and active OSINT approaches, practitioners can uncover a wealth of information from publicly available sources, including user profiles, posts, connections, and interactions. From monitoring trends and sentiments to identifying potential risks and threats, social media OSINT provides a powerful means of understanding the digital landscape and its implications for individuals, organisations, and society at large.

Are you worried about being stalked online, or being the victim of an OSINT campaign? I recommend that you read my guides on counter-surveillance, anonymity, and extreme privacy by clicking here. I add new content every week, and my goal is to provide the internet’s go-to place for all things cybersecurity, counter-surveillance, ethical hacking, and OSINT.

Remember that OSINT is a highly invasive practice, and it should be practiced ethically and legally, as outlined in my legal disclaimer.

Hey! Can we make it official? ๐Ÿ˜˜

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. I promise not to spam you, and you can count on me to keep your data safe ๐Ÿ˜‡

More Hacking Guides

Hacking Computers With Powershell Empire ๐Ÿ’€๐Ÿ”“

How I learned Hacking, and my tips for fast-tracking the learning journey ๐Ÿ’ป

This is how I hack WiFi networks ๐Ÿฅท

How I hack websites using Burpsuite๐Ÿ’ป

Nmap: an essential tool for hacking โœ…

Hacking websites with WPScan ๐Ÿง

Fifteen Steps to maximising firefox privacy ๐Ÿ”’โœ…

Download the complete FireFox checklist that I give to my counter-surveillance clients – completely free of charge! I will take you step-by-step through advanced Firefox Configurations that will help you maximise your privacy, security and anonymity.ย 

Enter your details below and I will email it to you straight away. And don’t worry, your data is safe with me ๐Ÿ˜‡

Access free subscriber only content ๐Ÿ˜˜

I would love to share my latest ethical hacking, defensive security, OSINT, and anonymity guides with you. But I’ll need you to trust me with something… your email address. Your data will be encrypted and I will never sell it to third parties ๐Ÿ˜‡

UK Cybersecurity Company

About Aitken Security

Aitken Security is a UK Cybersecurity Company specialising in offensive and defensive security.