Genealogy – Find Heritage Quest (and other resources) At Your Local Library

This is a very simple post that seeks to raise awareness about genealogy resources at your local library and explains in 3 easy steps how to find access to them. Due to the popularity of genealogy, your local public library will almost certainly have some sort of online resource, like a subscription to a genealogy service.

My local library allows patrons to use Heritage Quest for free via the steps that should apply to your local library as well.

Heritage Quest is a genealogy site that normally requires a paid account but is often available at local libraries.

3 Step Process

The process for finding library resources on genealogy is usually the same at different libraries and works as follows:

1) (assuming you have a library card) Go to library website and login.,

In this case we are going to –

2) Look for options and the libraries online resources.

In this case click on the 3 lines symbol to see a drop down menu and then choose “Online Resources”

3) There will be a section on genealogy that will have Heritage Quest and possibly other resources too.

That’s it!

Find Local News From Far Away

(tools for company-specific news, googling from elsewhere in other languages, and searching most common search terms)

When researching a company, local news stories are a great source of obscure information that likely will not be at the top of your search results when you google the company’s name.

Company-Specific News

IBM’s Watson News Explorer is a great source for finding any news affiliated with a company, even smaller companies.

To find these stories, first look up the company’s Annual Statement, which will list its subsidiaries and where they are located. A separate post explains how to find and read a company’s Annual Statement.

“I Search From…”

Use to make your google searches appear to come from other locations including foreign counties, specific cities and search for results in specific languages.

Foreign Language News –

You can also use to find foreign language news about the company. Just search for the company’s name and when you go to the website’s page that is specifically for the company, scroll down and there is a section titled “News in Other Languages”. This is a good time to get the Google Translate browser extension so it can translate the page for you.

While you are using Market Screener, it is also a great tool for getting an initial impression about a company because the website will give you a general summary about the company, list news stories, and list analyst recommendations regarding how well the company is doing.

Search for the most common search terms

Finally, you can get a feel for how the public views the company and if there are any rumors (which might turn out to be well-founded) by looking up the most common searches regarding the company in Google or Twitter. The website will list the most common searches or autofill phrases associated with any term, such as a company name. The website offers this service for different search engines and social media, but anecdotal evidence suggests that it is enough to just search Google and Twitter.

How to Research a U.S. Phone Number

This post (that is intended for educational purposes only) is about ways of investigating U.S. phone numbers by using different sources of information that are reliable but generally invisible to Google searches.

Why Are U.S. Phone Numbers Special?

U.S. phone numbers are unique, compared to other countries, because of the kinds of publicly available information affiliated with their registered owners.

Marketing databases, US public records, and the existence of people trying to profit off of that information have made US numbers uniquely useful from a research perspective (or, depending on your view, a stalker’s perspective).

The process for researching a US number involves using one piece of information to find a second bit of information that leads to a third and then again.

So the researcher looks up the number to find the owner’s name/address, other people that lived with them (roomates, current and former spouse), and their email address. Along the way, the researcher will also pick up a few more bits of information too.

This research will involve finding other phone numbers and their owners, which could be confused with the original phone number’s owner. For sake of clarity, the owner of the original phone will be referred to as “Lex” from here on out.

Where To Begin

The first and easiest step is to search the number in a people-searching websites, such as:

These sites were also addressed in a previous post (Find Email Addresses Linked to U.S. Phone Numbers).

These sites have access to large databases that link a phone number to its owner and their address. So if the number is listed at these sites the results will usually include, for starters, Lex’s name, home address, and possibly email address.

These results will often also include the Lex’s past addresses, the phones and names of others registered at those addresses, and a rough approximation of when all of those people had those phones and addresses. Sometimes these results are a jumble of names, numbers, addresses with only tenuous links. However, if a researcher spends a bit of time looking over this data it can often be possible to determine where and when Lex grew up, his siblings and parents, where he moved, who he lived with, and his current and former romantic partners.

What If There Were No Results?

If these sites gave you no results or conflicting results then there are a few alternative options that will at least find or confirm Lex’s name (which you still don’t know yet because you only have his phone number). These methods originate from episode 160 (click here to see it) of Michael Bazzell’s podcast, The Privacy, Security, and OSINT Show.

A.) You can lookup the phone number in a caller ID database on websites such as and The sites do require that you sign up for a free account. These websites will only give you the name of the person that owns the phone. However, anecdotal experience has shown that these sites ALWAYS had results.

Caller ID databases are a great way to confirm the owner’s name when you have conflicting information. Sometimes the people-searching sites mentioned above will provide conflicting results. This is often because one site identifies the phone’s current owner (Lex) while another site only identifies the previous owner of the same number. The owner identified in a caller ID website is usually the right one.

B.) is another easy alternative but you do have to sign up for free. This is a interesting resource. The popular Truecaller app logs all of its users’ contacts. Once again, anecdotal experience suggests that there is a high likelihood that you will get results with this.

The website lets you search a phone number, like Lex’s, and if you get a result that means that Lex has the app or someone with Lex in their contacts list has the app. What is even more interesting is that when the website gives you the name of the phone’s owner, it is actually giving you the name that Lex’s associate had typed in their contacts list for Lex.

Maybe a coworker lists Lex as “Lex – IT guy,” or maybe Lex has a nickname and his friends call him “Lex Luther,” finally maybe a friend of his wife

C.) has a database of phone books from before 2015.

The Name

Now that you have the person’s name, you can use it to try to find their email. There are several websites that can identify someone’s email address based on the information you have obtained by this point. Specifically, their U.S. -based name, address, phone number. Try using the following:

search function for

Now you will hopefully have an email address which should round out your research on this phone number.

Phone-Email Divide

One issue that can arise when you are researching an individual living in the U.S. is the Phone-Email Divide. If you have a phone number, at least in the U.S., you can use various people-searching websites to find additional information like the name and address. Similarly, an email address can be used to find affiliated social media accounts. But it is difficult to connect a phone number to an email, or vice versa. This post is about how to cross that gap between phones and emails.

The answer is to first use the email address to find a social media account that reveals the owner’s name. Once you have a name you can search it in a people-searching website that will find the phone affiliated with that name. This process also works in reverse.

People-Searching Websites

There are five people-searching websites in particular that can be used for this process. Each website has its own inputs (data you can search on) and outputs (results).

It is important to note that if you do not want your personal information listed on these sites, they each have an “opt out” option available.

True People Search ( is by far the most reliable site for researching a phone number. The site uses name, address, and phone number as search inputs or outputs. The site will sometimes give the person’s email as an output.

That’s Them ( and Search People Free ( are not always consistent with their results but they use name, address, phone, and email as inputs and outputs. These people-searching websites have the obvious potential to solve the whole problem by linking a phone directly with an email, thus negating the need for the rest of this process. Therefore, it makes sense to start with these sites. and will only let you search by name to find the phone, but not let you search in reverse. Public Email Records ( uses email, name, and address as both inputs and outputs.

The Email

There are a few things we can learn about an email aside from social media accounts. The website can tell us if it is a real, functional email or not. The website will guess how long the email has been active.

If It Is a Work Email Address

If the email is a work email address, we can look up the domain to see where the user works. We can also do a “domain lookup” at the website and it will lookup for (usually successfully) email addresses with the same domain. These emails essentially identify the user’s coworkers.

If the domain is in’s pre-existing list of known domains, it will identify the company and provide information from LinkedIn on individual employees. You can also do a domain search at and Normshield to find employees. If you are interested, this subject is addressed in greater detail here.

Identify Social Media Accounts Registered to the Email

We can identify social media and other online accounts registered to a specific email address in a very straightforward process of 6 steps.

CREDIT WHERE IT IS DUE: This process does not require a knowledge of Python but the explanation must address the computer language a bit. The Github user account Megadose hosts an amazing Python script named Holehe and deserves a lot of credit for this creation.

The script will find the different social media networks where the email is registered to an account. However, because many people do not know anything about Python, I’ve come up with a process intended for people that do not know anything about python and do not want to learn about it. It is a rote process requires no knowledge of python, no downloads, and no thinking at all.

Instructions for First Time Using Holehe

Step 1 (the hardest) – Click here and sign up for an account on Github . Sorry, that is more than one step but the process is simple and it gets easy afterward.

Step 2 – Login to Gitpod. You do not need to sign up for Gitpod if you already have a Github account. Go here ( and you will see an option on the left to sign in with your Github account even though you don’t have a Gitpod account. See below:

Once you have logged in your page will probably look like this:

Step 3 – Copy and paste this url into your browser and hit Enter:

Why? – Basically, you are making a url that consists of the gitpod website url, a hashtage, and the url of the github page for the script.

Here is the explanation. We want to run a Python script but to do so we need a development environment. Normally you would download it but in this case, Gitpod provides a development environment online where you can run Python scripts. When you identify a script posted on Github you create a url of the Gitpod website’s url, a Hashtag, and the url for the page hosting the Python script. So with our script hosted at, we create a url like this: + /# +

Gitpod will create a workspace, a virtual computer, specifically for running the script. The script and its affiliated files will be downloaded though you will likely still have to run the file, or its equivalent. If you go to the script’s page on Github there should be instructions for downloading and running the script.

Wait for Gitpod to do some processing and then your computer should look like this:

Step 4 – At the bottom of the screen find where it says “/workspace/holehe $”.

Click to the right of these words and type “python3 install” and then hit enter.

Step 5 – Wait for the install to complete and then right click on the folder on the type left that is named “holehe” (not the one titled “holehe.egg-info”). When you right click on the folder a drop down menu appears, choose “open in terminal”.

A new tab has appeared in the terminal, notice the new tab that reads “gitpod /workspace/holehe/holehe” and the cursor is located next to a similarly named prompt.

Step 6 – Finally, choose your email that you want to research, in our case we will use the fake example email “”

Now the last thing to do is type in the final sequence with your email in place of our fake example. So find the prompt “gitpod /workspace/holehe/holehe $” and next to it you will type the following and hit enter:


Results: Separately, I ran a real email address for an example to show how the results should look. The output is a list of 50 or so social media networks and other websites. If the name of the site/network is purple, there was no account on it, green means there is an account registered with the email address and red means the script could not check the site. Hopefully you got something like this:

Now that you’ve done this once, the process will be much easier in the future.

Next time

Login to Gitpod and there will be a workspace named for the script. It should look like the image below. Just click “Open” on the workspace.

From here, you repeat steps 4, 5, and 6. You install, open a new terminal tab, and run the command.

n the future, login to ur accountclick on workspacesfind the workspace for that script (the only one), and click on start (maybe its a dif word) then, repeat the last 3 steps from the initial guide (install, open the specified folder, type in the command)

UPDATE: Epieos has created a new tool (click here) that runs the holehe script for you.

What Next? Use Breach Data Websites

Breach data websites will let you search if an email address (or other personal information) was listed in a specific data breach. For our purposes here, many data breaches are not useful. However, for example, there was a Linkedin data breach in the past and therefore if you search for an email address and find it was listed in that databreach, that means the email was registered to an unidentified Linkedin account. Now you know to look for an account in Linkedin for that email.

search function in haveibeenpwned listing some known data breaches that it searches

You can use these websites that may find additional accounts that were not discovered by Holehe. There is a lot of overlap between these sites so I would only search one or two.

How to Find Specific Accounts

Now that you hopefully have a list of social media sites where the email is/was registered, you can use a few tricks to find the specific accounts.

Please note, I did not create any of these methods. I am merely listing them together to make it easier to use them all. I will identify specifically who deserves the proper credit and I encourage you to follow them online.

Find Linkedin Account

Side Note: Remember that a LinkedIn user can see who looked at their account.

If the email address is registered to a Linkedin account we can find the specific address and avoid having to search around for it. One of the default settings of Linkedin is to allow others to find you based on your email. Linkedin does this to encourage people to use its paid services. But it is possible to take advantage of this opening without needing to pay.

Many sites inaccurately report that a Linkedin account can be identified using the url “[example email address here]”. This no longer works. The process below that currently works might similarly stop if LinkedIn decides to block it.

A new, working method was discovered by Steve Adams of, click here to see his article (you are highly encouraged to follow his website). Below is a shortened version of what he wrote but is largely verbatim.

  1. Create a Microsoft account at
  2. Sign in to the web-based version of Outlook with the url – – and using your Microsoft account.
  3. Within Outlook, go to your contacts section at –
  4. Create a new contact by selecting “Add a contact” and add the email address to its details. [sidenote from search-ish: In the contact details type a random unrelated letter, like “x”, as the name. This avoids confusion later, because if the site can’t find the Linkedin account it will show a list of guesses based on the name.]
  5. Click on the profile photo or letters, next to your new contact and within the new sub-window select “LinkedIn”.
  6. Click “Continue to LinkedIn” on the pop-up and then sign in to your LinkedIn account, then finally click “Accept”. [end of info from Steve Adams]

Find More Info with LinkedIn Account URL

Once you have identified the LinkedIn account , you can copy and paste the account page’s url into the search function at As seen below, its search function use a Linkedin url, among various other criteria.

This search on Rocketreach can potentially find phone numbers, email addresses, and social media accounts that are not publicly connected to the Linkedin account holder.

UPDATE: Epieos has created a new tool (click here) that will supposedly find if an email is linked to a LinkedIn account. The method and reliability is not currently known.

Find Their Facebook Account

CREDIT WHERE IT IS DUE: This process was explained by Technisette on the webcast from December 19th 2019, titled “20191223 The OSINT Curious Special Facebook Webcast”, available on Youtube (click here) where Kirby (website, Twitter: @kirbstr) and Technisette (website, Twitter: @technisette) explain updated methods for investigating on Facebook. You are highly encouraged to follow Kirby, Technisette, and OsintCurious.

The first step is to log into facebook and click the 3 horizontal lines that mean the “more” option, then click “pages” and then ” + create a new page”. After you’ve created a page take these steps

  1. click on “pages” once again and then click on your page, which should appear.
  2. click on the page you created
  3. click “settings”
  4. “page roles” and you will get to this page below:

5. “assign a new page role”

6. type in the email address below that

7. if a facebook account appears in the drop down menu, click on it. (if no facebook account appears, sorry but that means you have hit a dead end with this process, it is time to try something else)

8. click “network” tab

9. in the search bar that is slightly down and to the left of the “network” tab, typed in the word “account” or “ANYONE_EXCEPT_VERIFIED_ACCOUNT”

10. That should filter the results to the ones with “ANYONE_EXCEPT_VERIFIED_ACCOUNT”. click on the bottom one in the list and a “preview” tab should appear.

11. look under the “preview” tab and the account’s name and ID number should be in there (if that information is not in the preview tab, try clicking the other results in the list, it should be in one of those results).

12. Verify that you have found the account info by pasting the ID number at the end of the url “” and this should bring up the account that you saw in the drop down menu from step 7.

If the facebook account is completely private, there is a nice guide at for researching private accounts, click here.

Google Account

CREDIT WHERE IT IS DUE: I learned of the following by listening to the podcast/webcast #45 that you can access here. I give more specific credit for individual developments where it is due in the paragraphs below.

EPIOS ( created a google account finder (click here). If someone has a google account this will find it. The results generally include their real name, a general location down to the city level, and any reviews they posted on Google Maps. This last one is a bit weird but I promise you that it is surprisingly common that people leave random reviews of places and businesses that they have used and are often revealing about the person or their location.

If you are researching an email address that is gmail, you can assume they have a google account. Other email addresses also often have associated google accounts.

ADDITIONAL RESOURCES AND CREDIT: You can also use the Python code GHUNT that is located here, on the Github account for MXRCH. In order to understand the role of Google IDs in Osint and how to obtain and use them more manually, see these articles here and here by Sector35 (website, Twitter: @Sector035)

Okay that is it, Good Luck!

Genealogy – Find a Grave

Find A Grave ( is the world’s largest repository of grave site information. The site is free and easy to use.

The site’s records are primarily from individuals uploading information. As a result, there may be different kinds of information available in different records.

Furthermore, any search that you run in will also check if that information is available on Find A Grave, thereby saving you the second step of searching in a second website. See bleow for a screenshot showing how a record from Find A Grave may appear in your search results in

The Find A Grave Website

Nonetheless, the search function within the actual website is pretty thorough and gives a lot of different options for different ways to search for a record. Therefore, you may decide to try using the website itself.

For example, as you see in the search function below, you can even choose to search by burial plot information. That might seem like an obscure bit of information, but many records will identify the specific plot or cemetery section. Based on that information, you can search for relatives by looking for grave sites next to the first one, or for grave sites within the same section of the cemetery, possibly filtered for people with the same last name.

Below you see an example of the kinds of information that might be available in a particular record.

Your record may not always have identified family members, memorials, or photos, but you can generally count on four pieces of information being available:

1 – Name

2 – Date of Birth (and maybe location)

3 – Date of Death (and maybe location)

4 – The cemetery where they were buried

The first 3 pieces of information are very valuable because they provide unique details about a person that can help you find more records about them in different data sources. Maybe before you were searching for James Richard in but there were too many results. With this new information you can return to and filter your results to look for the James Richard that was born on June 19th, 1930.

The Cemetery Itself

The next step is to take the fourth piece of information (the cemetery) and go to the source. You want to go to the source of the information because there is often a bit more information there. You can either look the cemetery up online or consider contacting them to ask if they have additional records about the specific burial you are researching.

In one example, (see below) we see the name of the cemtery and a link to another page within Find A Grave that gives additional details about the cemetery.

The individual was buried at the Long Island National Cemetery and by clicking on the link for the cemetery, we are brought to this page below. In this case, the descriptor explains that the cemetery is for veterans and is run by the UD Department of Veterans Affairs. Notice that the description page provides a website for the cemetery, where we can find more information.

In this case, clicking on the cemetery’s website brings us to the VA’s National Cemeteries Administration, which has a “grave locator” function. See below:

In this case, looking up the record for the same burial site yielded new information, specifically the burial plot location, a link to a map of the graveyard revealing the location of the burial plot, and the rank and branch of the military where the individual served.

That’s all, good luck!

Genealogy Basics –

This post will identify free genealogy resources and how a beginner can use them. Over time, this post will grow to include additional resources with periodic updates. For now (November 11th, 2021) only one resource,, will be discussed. Future updates will include, but not be limited to:

Find a Grave – (

Civil War Soldiers and Sailors Database – ( – (a database of obituaries)

Heritage Quest – (a paid resource accessible via local libraries, including the Montgomery County Public Library)

FamilyTreeNow – (available at This is a free genealogy site that is akin to people-searching websites but focused on genealogy. There is an interesting Washington Post article about this site.

SIDE NOTE: If you are primarily interested in researching “the living,” Family Tree Now is a good resource for finding if a specific person (who is still alive) has deceased relatives. From there, you will be able to make use of genealogy resources.

Family Search ( is a free resource, though it requires that you sign up for a free account, and a good starting point for genealogy research.

There are three key features worth noting, the basic search function, a wiki catalogue of regional databases, and a database of family trees that were built by individual account-holders.

To reach the basic search function, click on “Search” from the menu bar and then click on “Records” from the drop down menu.

Later on, you can return to this drop down menu and click on “Genealogies” or “Research Wiki.” Clicking on “Genealogies” will let you search family trees that were uploaded by users. “Research Wiki” is a wiki of different local genealogy-related databases that are specific to different locations.

You’ll want to start with the search records functions. The following search window will appear. If you submit a search here, the website will also search for results that are similar but not exactly what you typed (such as names there are spelt similarly to what you typed). If this give you too many results, then before getting started, it might be worth clicking on “More Options,” so you can choose to search for an exact spelling of a name.

The following window will appear and you will notice that there are options for search for exactly what you typed.

Data Sources

You can also browse the data sources available on Family Search by going to (

This will help you know what to expect (for example, the Alabama State Marriage Licenses from 1816-1957 or Casualties from the Vietnam War). If you expect your ancestor is listed in one of these databases, you can click on it to search only records within that database. This is especially useful when your ancestor has a common name.

Two of the most important data sources to make note of in Family Search are the Social Security Death Index and U.S. National Censuses from 1790 to 1940 (Census data is only available if it is more than 70 years old), more on those data sources in upcoming posts.

That’s all for now.

What You Can Learn From a Phone Number

This posts addresses some of the tools that have become available for obtaining information about a given phone number. The prevalence of app-based caller ID has made it possible to identify the owners of unlisted numbers and even identify how they are casually referred to by associates.

WA Tools provide a resource that lets you know if a phone number has downloaded WhatsApp, whether they are active on WhatsApp at that moment, and most importantly it can even (usually) download their profile photo.

Though this is only indirectly related to the phone number, there is also a tool that lets you search (based on name / username) for and view skype profiles.

HLR (home location registry) lookups can potentially reveal general location data about the phone user.

Finally, this post summarizes previously discussed sites and information for researching phones with data breaches, Python, and people-search tools.

App-based Caller ID

True Caller – ( & ( are two widely used apps with over a billion numbers combined. The apps access the contacts lists of their users and will identify a given number based on how people identify it in their contacts list, (i.e. “john – computer guy”). This is especially useful for phone numbers that are not listed in more established sources.


WA Tools ( can be used to search on any phone number and then find if it has WhatsApp, if the user is on WhatsApp at that moment, and download the user’s WhatsApp profile photo


The tool Skypli ( (recently discovered thanks to @OsintTechniques) lets you search for a Skype user by name and, if you find them, open their profile which can reveal name, location, profile photo, username and/or possibly other information.

HLR Lookups will want you to sign up for a free account but it is worth it as it shows you the following information that, in theory, includes whether the number is actively roaming. However, Roaming means you are out of your network provider’s territory and is often a sign that the phone, and its owner, are traveling abroad. will identify a general region where the phone number was issued (see bottom portion of the table below), even if the area code is from a different location. This gives a better feel for the current actual home base of the phone number’s owner. In other words, they may have gotten the phone number and then moved to a different part of the country.

Intelx Phone Search Tool – ( has two great tool-aggregators for searching phone numbers. The first is for international phone numbers and the second is for US Phone numbers.

US-Focused Phone Search Tools

Previous posts addressed that there are several US-focused phone number lookup tools. For convenience here is a list:,, and – People search tools (all three seem to have access to the same data) – and – Similar to the people search tools but these two seem to have access to different data – Caller ID-based information

Data Breach Websites

There are several data breach websites that let you lookup phone numbers, but anecdotal evidence suggests it is not as likely to find results compared to email addresses.

Python Phone Lookup for Instagram, Snapchat

A previous post explained how to use a Python script named Ignorant to find if a phone number had been used to register accounts on Instagram or Snapchat.

If you believe you have then found the correct Instagram account, another post described how to use a Python code named Toutatis to see a partially obfuscated phone number used for the account. You can use that to confirm if you found the correct account.

Ghost Codes – There is a website called Ghost Codes, associated with an app with the same name. The website is a databases of Snapchat-users, limited to those who also have the Ghost Codes app, and for each user in the database there is info on their snapchat profile and other social media accounts.. The database only includes the users who have Ghost Codes and Snapchat.

How to Search Pastebin Websites for Data Breaches

What are Pastes?

According to, “Often when online services are compromised, the first signs of it appear on “paste” sites like Pastebin. Attackers frequently publish either samples or complete dumps of compromised data on these services. ” (click here for more information)

What is Pastebin Specifically?

According to a post on,:

  • Pastebin is a website that allows users to share plain text through public posts called ‘pastes'”
  • “There are many similar web applications, known as ‘paste sites'”
  • “Paste sites are commonly used for sharing code.”
  • “Pastebin specifically is user-friendly, supports large text files, doesn’t require user registration, and allows for anonymous posting if the user has a VPN. “
  • “This allows black hat hackers to easily and anonymously breach data in an accessible place.”
  • Finally, per the Pastebin FAQ, search engines will only index the public pastes

How to Search Pastes?

The following are two good tools for searching pastes. Keep in mind that data breaches are often taken down after discovery on pastebin sites so you have a limited window of opportunity to find the raw data. Eventually, the info will filter down to the data breach sites mentioned in a previous post.

Pastebin Search Engine – ( as its name says, this is a search engine for pastebin websites.

PSBDMP – ( this site vaguely describes its data as follows, “Psbdmp collects data automatically from different sources and is not responsible for the data’s content,”

(see new post for updated pastebin in tools)

What To Look For When Researching a Twitter Account

Here are some key features to look for while:

Views on primary topics – First, look at the main topics they discuss and then click on one of the bubbles to find all the tweets on the topic. Read through a few tweets to get the account user’s view on the matter. So for example if one of the main topics is “President”, you can read through the tweets to see if they are pro or against the president

Specific details of their life – look for topics in the small bubbles to find the errant tweets that reveal details about their life, so maybe the bubble that says “wife” will link to a tweet saying “…my ex wife….”

Find closest associates – look at main usernames that are in primary topics and (unless they are a celebrity), look at 5 of them in a row to find common features that can reflect the original account user.

Find relatives – use All My Tweets to list all followers and do a quick word search for the original account owner’s last name

The account’s first follower – this is often someone close to the user. Use All My Tweets to get a full list of the account’s followers. Scroll all the way to the bottom and you will see the first follower there.

Assess relationships – use Tweet Beaver to display “conversations” between the primary twitter account and its close associates. Do they interact or just retweet?

Location – If you cannot find the account owner’s location directly, consider looking for locations of close friends and family in their bios or Geo Social Footprint. Try to identify time zone based on Sleeping Time.

Are staff members tweeting – for famous / powerful individuals, the tweets sometimes come from the actual person or staff members. Often, tweets from the person come from a phone and at any hour while tweets from staff come from a computer during the day. Use Twitonomy to identify the platform used for individual or all tweets. If the tweet came from a phone (it will say “Twitter for Android” or “…Iphone” etc.) or a computer (“Twitter Web App”).

List of Good Tools to Research a Twitter Account

Truth Nest

TurthNest ( look under “Activity” and there’s an option for “Mentioned Users” that shows you which users the targeted account mentioned the most times. You can click on “view latest” under each account to look at the specific tweets of the targeted account mentioning this user. You can also click on the account names to open their Twitter accounts and see their bio pages. This doesn’t sound useful but if you click on an account name in most tools it will merely search for the account in the tools itself. It is useful to right-click on 5 of these accounts in a row and choose to “open in new tab” so you can look at them all at once and find common features.

Tweet Topic Explorer

Tweet Topic Explorer ( identifies the most common words tweeted from the account (excluding useless words like “the”) and allows you to click on any of them to immediately see a list of the tweets with that word. Scan the map for words that might reflect important things about the account user like political views or profession.

See this post here for how to find an account’s closest friends.

Or, see this post, for how to manipulate data and view original posts, most important topics in content, or rank other accounts mentioned in tweets.

Tweet Beaver

Tweet Beaver ( has a variety of tools that are especially useful for assessing a relationship between two accounts (common followers, what have they tweeted at each other, etc.)

Geo Social Footprint

  • (lately I am having difficulty with this tool so I am listing two alternatives below)

Geo Social Footprint ( should show a twitter account’s geotagged tweets on a map and link to the tweets themselves. If you get an error message when you run a twitter account, like “map cannot display”, that often just means that there are no geotagged tweets. Based on the twitter api limitations, it is reasonable to guess that the tool looks at the last 200 tweets.

Alternate Tweet Mappers: and

For geo context, you can find what people nearby are tweeting about by using ( or (

Profile Changes Over Time?

Type out this url in your browser with the twitter account of interest at the end (in this example we used “search_ish”)

All My Tweets ( is a great tool to find an account’s first follower. Just select the account to search, click in “Followers” and it will give you a list of followers in chronological order, so scroll to the bottom. A number of investigative reporting guides suggest that the first follower is often a person that has a close relationship with the account holder.

This tool will also list all of an accounts tweets in a list that can be copied and pasted into a CSV file.

Other useful tools include:

AccountAnalysis ( this tool categorizes an account’s content to assess relationships and interests. It is similar to Tweet Topic Explorer in that in that it will analyze content of tweets and click on one thing (like a username) and the tool will identify the tweets that reference the account.

Below you see that for the analyzed account, the tool identifies the accounts that it replied to, retweeted, or quoted the most. This is a great way to quickly identify accounts that reflect your subject’s interests or associates. Tweet Topic Explorer takes more of a broad brush approach. But in this tool we can choose to focus on accounts that the subject account replied to rather than retweeted.

The tool lists Hashtags and URLs, which are a great way to figure out the account’s interests.

If you do not understand anything on the page, there is a very useful help section that details all of the analysis fields.

The only drawback of this tool is that you need to specifically request at the top if you want to analyze more than the last 200 tweets., Likewise at the bottom where it lists the tweets that reference the topic you clicked on, it will default to showing you 12 tweets and you have to click for it to load more. This presumably allows the tool to run faster and crash less.

Foller Me

Foller Me ( gives similar info on an account (and is easier to read) such as when they joined but also gives a larger list of the people that researched account interacts with.


Twitonomy ( performs analysis on the account as a whole, but you have to remember to search for an account and then actually click on the account name somewhere in the results. It gives information such as which accounts it tweets about or replies to most, how many times the account tends to tweet per day and from what kind of device, and how often they tend to tweet on given hours in the day or days in the week.

For example, at the very bottom of the results we here we see that the user of the @searchish_site account uses an Android phone and the search-ish wordpress account to Tweet.

Keep in mind that this tool is a little tricky at first. You have to search an account, and then in the initial results click on the account name again or click on Analyze a Twitter profile in order to get the full results.

Sleeping Time

For redundancy, Sleeping Time ( also gives the hours of use for an account. But this tool gets right to the point and makes an educated guess about the hours of sleep so you don’t have to look into the data yourself and guess if an average of 3 hours at 4am means the person usually sleeps at that time or not.

What to look for with these tools?

Here are some key features to look for:

Views on primary topics – First, look at the main topics they discuss and then click on one of the bubbles to find all the tweets on the topic. Read through a few tweets to get the account user’s view on the matter. So for example if one of the main topics is “President”, you can read through the tweets to see if they are pro or against the president

Specific details of their life – look for topics in the small bubbles to find the errant tweets that reveal details about their life, so maybe the bubble that says “wife” will link to a tweet saying “…my ex wife….”

Find closest associates – look at main usernames that are in primary topics and (unless they are a celebrity), look at 5 of them in a row to find common features that can reflect the original account user.

Find relatives – use All My Tweets to list all followers and do a quick word search for the original account owner’s last name

The account’s first follower – this is often someone close to the user. Use All My Tweets to get a full list of the account’s followers. Scroll all the way to the bottom and you will see the first follower there.

Assess relationships – use Tweet Beaver to display “conversations” between the primary twitter account and its close associates. Do they interact or just retweet?

Location – If you cannot find the account owner’s location directly, consider looking for locations of close friends and family in their bios or Geo Social Footprint. Try to identify time zone based on Sleeping Time.

Are staff members tweeting – for famous / powerful individuals, the tweets sometimes come from the actual person or staff members. Often, tweets from the person come from a phone and at any hour while tweets from staff come from a computer during the day. Use Twitonomy to identify the platform used for individual or all tweets. If the tweet came from a phone (it will say “Twitter for Android” or “…Iphone” etc.) or a computer (“Twitter Web App”).


Python for OSINT: Find Google Accounts with GHunt

This post will walk through how to use the Python script GHunt via, which lets you search an email address to find the associated Google Account and pulls relevant information from it. Google account

GHunt is located at , and was developed by mxrch on Github.

Running GHunt

1 – Go to:

2 – type the following command and then hit enter:

docker pull mxrch/ghunt

3 – copy and paste in this next command and then hit enter:

docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt email
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt doc

4 – The file will ask you one at a time to input your google cookies, you only have to do this once.

You get the following prompt to find your google cookie “SID”

Find Google Cookies (using Firefox or Chrome)

a.) Log in to

b.) After that, open the Dev Tools window and navigate to the Storage tab (Shift + F9 on Firefox)
If you don’t know how to open it, just right-click anywhere and click “Inspect Element”.

c.) For Google Chrome (sorry, not sure about Firefox) you click on application

d.) Then on the left side click the triangle next to Cookies so it is directed down. Then click on

e.) Now your cookies appear in the menu to the right.

f.) For each cookie that you need, the script will identify its by the cookie name, which you can find in the Name column.

g.) So the first cookie that was asked for was SID:

So we go to the menu and under Name we find SID

h.) Then we copy the Value and paste it in where the file asked in gitpod

j.) You will be prompted to find and input the cookies named SID, SSID, APISID, SAPISID, and HSID.

Now lets return to step 5 in the process of running GHunt.

5 – Now in order to search for the Google Account of an email address, type in the following command (but with the email address where it says “<email_address>” (also remove the carrots)) and hit enter:

docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt email
docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt doc

SIDENOTE: GHunt can also research a Google Doc. To do so, get the document link and run the following command:

docker run -v ghunt-resources:/usr/src/app/resources -ti mxrch/ghunt doc

And here is the kind of results you may receive (name, location, photos, etc.):

When I click on the Google Maps link (gitpod requires you to hold down Ctrl while you click on the link), I get the account’s profile photo and a review on Google Maps at a specific location.

Don’t forget to hit Save within the Gitpod workspace so that you do not need to input your cookies in the future!