While Google represents a popular tool for OSINT investigators, using the search engine to find exactly what you need is not always a walk in the park.
Some queries can return millions of pages. So, the number of results can feel overwhelming.
To make matters worse, Google will manipulate your results based on several factors such as:
That works great when you search for things like where to go for dinner or check a weather forecast. But that manipulation creates headaches when you need information on a specific POI, business, or other targets.
So how do we get around this problem?
Thankfully, Google has hundreds of advanced search operators to help us find information online. These special commands, called Google dorks, allow analysts to modify searches, narrowing down results to find exactly what you need.
And while primarily used to locate security flaws within websites, Google dorks also represent a useful tool for analysts to enhance intelligence gathering during investigations.
To help get you started, we’ve highlighted seven powerful Google dorks OSINT researchers should know.
To be clear, this in no way represents an exhaustive list of the search engine's advanced operators. But it should serve as a helpful resource for getting started.
Let’s dive in!
In the search bar, enter “SUBJECT’S NAME” filetype:pdf OR filetype:xlsx OR filetype:docx OR filetype:PPT. This will return any PDF, Excel, Word, or PowerPoint files containing your subject’s name. This query can allow investigators to potentially uncover new contact information from documents hosted online.
In the search bar, enter SUBJECT’S NAME site:SOCIAL NETWORK URL 1 | site:SOCIAL NETWORK URL 2 | site:SOCIAL NETWORK URL 3. In the site: field, enter the URL for any social media platform you wish to investigate. The first few listings will return any accounts connected to the subject on those platforms. By diving deeper into the search results, you may find mentions of specific posts, videos, and comments.
In the search bar, enter "TEXT OF A POST" -site:SOCIAL NETWORK URL. The minus sign instructs Google to ignore anything posted from the original social network. That can help OSINT investigators determine if other sites, such as media outlets or personal blogs, republished a particular post elsewhere.
In the search bar, enter Cache:URL. This will recover the most recently cached version of a webpage. That can represent an invaluable resource in cases where a subject has tried to edit, delete, remove, or conceal information.
In the search bar, enter SUBJECT’S NAME -CHARACTERISTIC 1 -CHARACTERISTIC 2. The minus operator allows users to exclude a word or phrase from any search results. That can be handy when searching for information on a subject with the same name as another celebrity or well-known organization.
Before 2022, LinkedIn allowed users to perform unlimited searches. But today, the company caps the number of queries you can perform on the site. Thankfully, you can use Google to get around this problem. In the search bar, enter SUBJECT’S NAME site:linkedin.com/in/. This will return any LinkedIn pages Google has indexed.
In the search bar, enter KEY PHRASE after:YYYY-MM-DD AND before:YYYY-MM-DD. This search command will return results, such as videos, articles, and comments, published during the specified period.
Google search results containing the phrase “brad marchand” published between October 15, 2021 and October 31, 2021.
Using Google dorks for OSINT analysis is a skill in and of itself. Most open-source research involves combing through a large swath of data. But by combining the right operators, you can significantly reduce the amount of material you have to wade through.
Once again, the list above doesn't represent an exhaustive catalog of every advanced search command. For extra inspiration, check out other resources created by members of the OSINT community like the Google Hacking Database. But hopefully, this guide should serve as a good place for getting started.