OSINT Tool Tuesday - LinkedIn, AR Search, Email and Breach Data
4 min read

OSINT Tool Tuesday - LinkedIn, AR Search, Email and Breach Data

OSINT Tool Tuesday - LinkedIn, AR Search, Email and Breach Data

Another week, another set of OSINT tools. This week we'll be looking at tools for OSINT investigations using LinkedIn, augmented reality, and breach data. The goal is to expand your mindset on what's possible using tools, increase your efficiency, and amplify your outcomes. Let's get started.


LinkedIn is one of the greatest resources of open source information. Why? LinkedIn gives you so many data points to pivot from. LinkedIn gives you names, locations, employers, schools, coworkers, and sometimes even other social media handles just to name a few. One great OSINT application for LinkedIn is business intelligence. This is where LinkedIn2Username comes in handy within my workflow. Here's how I use it.

LinkedIn2Username will take all of the names of people who work for a company and generate a list of possible usernames for those individuals that can be used to pivot across multiple social media profiles. The question is, which username is the right username? When looking at this from a business lens, this is a question that can be answered with a reasonable amount of certainty.

Using Facebook at as an example, you'll find that <name>@fb.com is the email structure at a ~74% confidence level. Now, pivoting to LinkedIn2Username, you can quickly pull the list of all Facebook employees and generate a list of potential email addresses for those employees. You'll get something like [mark@fb.com, sally@fb.com, jim@fb.com].

I'll likely do a Workflow Wednesday on my process for business OSINT in the near future. Make sure to subscribe to not miss out!

Using a pretty standard workflow, you'll be able to verify if these emails you've generated are correct or not and begin to build out a valuable list of email addresses. Why would you use this? From a sales and marketing perspective, it can be extremely valuable. From a red team perspective, it can be the basis of mapping out a phishing campaign. From a blue team perspective, you can quickly learn your "OSINT vulnerability" and put steps in place to obfuscate email addresses for new employees, for example.  

OSINT Tool: Generate username lists for companies on LinkedIn - initstring/linkedin2username


While Linkedin2Username has a pretty straightforward application, SearchCam is a bit more niche. I don't see this being part of your regular workflow; however, it highlights the future of augmented reality in the OSINT industry. SearchCam is "Ctrl+F" for the real world, meaning it uses your camera to highlight text on a physical page and gives you the ability to search within it.

One example I can think of is when you have a PDF document that isn't searchable with Ctrl+F. Sure, you can run each page through OCR and hope that you get an accurate read then search through it later; however, if you're going to print this document out already you can use SearchCam instead to skim through the content looking for specific material.

It's an interesting way to expand your mind and look forward to the world of OSINT in the future.

‎SearchCam: CTRL+F Camera App
Description is just simle as this: Ctrl+F for real world. Yes, SearchCam provides you to search text with your camera on real world objects, papers, images.. anything printed.. An OCR app on your hands.Type any text and just hold up your iPhone/iPad.


If breach data is a regular part of your workflow, you have to have h8mail on your radar. This multitool leverages multiple services, paid and free, to streamline your workflow with breach data or email OSINT. Simply plug in your paid or free APIs into this tool and begin hunting.

Why is breach data valuable? Breach data can allow you to see beyond the surface in any investigation. If you suspect your subject has an alias account, a sock puppet, or uses an alternate variation of their name across the web, leveraging breach data can shed light on a digital record that may not be obvious on the surface. A unique password from an email address you've already verified, when reversed, may lead you to another email address you weren't already aware of. Reversing that new email address into your existing workflow can identify new data points that could potentially create a new lead in a dead investigation.

h8mail makes this process easy by allowing you to perpetually loop between new data points found through breach data while also giving you the ability to verify information using tools like Hunter. I caught this tool early on and it's come so far since it's original version. The developer is also very receptive to feedback.

Email OSINT & Password breach hunting tool, locally or using premium services. Supports chasing down related email - khast3x/h8mail

Remember, OSINT != tools. OSINT tools help you plan and collect data, but the end result of that tool is not OSINT. You have to analyze, verify, receive feedback, refine, and produce a final, actionable product of value before it can be intelligence.

Thanks for reading. If you enjoyed this post, make sure to subscribe. A new one just like this will be posted every Tuesday at 6:00 PM UTC-5:00.

Enjoying these posts? Subscribe for more