Researching a U.S. Company’s Government Ties (the basics)

Previous Contracts with the Government

If you need to find out whether a company has ever been contracted by the U.S. government, you can use USAspending.gov and search on the company name to get a quick answer. This is a user-friendly database that will tell you specifically which part of the U.S. government was involved (for example: “Political Section, US Embassy Tunis”). It will also provide the details about the contract and the company personnel involved.

Past involvement in government corruption

A good way to evaluate a company is to see if it has conducted any actions violating laws or regulations. The nonprofit Good Jobs First maintains a Violation Tracker, which is a single source that queries a plethora of U.S. government databases identifying companies that violated local or national regulations.

Political Donations

If the target makes any political donation of at least $200, it is listed in the Federal Election Commission database, but can be best searched by using the Donor Lookup tool at OpenSecrets.org. Depending on whether the donor is a person or a company/organization, this tool will identify the donor’s name, address, occupation, amount of money contributed, and the recipient. Here is an example of the results from searching on a fake last name:

Another great source of information on political donations is the Public Accountability Project, which searches several public deep web databases including property records. This site will also find records for smaller donations in the low two digit range. The website is free but requires that you register for an account.

LOBBYING EFFORTS

If a person of interest is involved in any federal lobbying efforts, the lobbyist will be registered and the contracts with their clients can also be viewed with the same lookup tool at the aforementioned OpenSecrets website General Search function. These contracts and further information may also be available on the Foreign Agent Registration Act database depending on whether the party being represented is a foreign entity.

Revolving Door Between Corporate Lobbyists and Government Employment

OpenSecrets.org tracks when individuals develop conflicts of interest by cycling between jobs in the public and private sectors. Open Secrets maintains this information in a database called Revolving Door. Open Secrets the purpose of Revolving Door as follows:

While officials in the executive branch, Congress and senior congressional staffers spin in and out of the private and public sectors, so too does privilege, power, access and, of course, money.

Use the search options to discover which public relations firms have signed up former White House employees, which lobbyists have brought their interests with them to the powerful appropriations committees, which interests are employing former members of Congress to lobby on their behalf…and much more.

The advanced search will allow a researcher to search by a wide variety of criteria including but not limited to a person’s name, their current or former government employer, lobbyist firm, administration, and congressional committee. You can research any party involved in a government contract but you can also start by researching any company or government office of interest.

Researching a Company

There are several publicly accessible “deep web” databases with records on U.S. companies. The records are especially interesting because, by nature of being deep web databases, one cannot find these records in these databases by simply googling for them. Furthermore, the records are usually verified, legitimate information, which is of course not always true of things on the Internet.

Company Registration

US companies register with the state government and this registration is most easily discovered by using Open Corporates . The individual states maintain deep web databases that are full of company registrations. To avoid the trouble of finding all of the databases, you can use Open Corporates. This site allows one to search the name of a person or a company and then Open Corporates searches the various state registries at a once. Open Corporates also searches for other registrations, including trademarks.

Side Note for Foreign Companies: For foreign companies, many countries’ registries will be included in Open Corporates. But for countries that are not included in Open Corporates, you can use the Global Open Data Index to find out if the country has a public registry and if so, it will give you an idea where to look. The Index is dated to 2015, but it can tell you that the registry is located, for example, in the Interior Ministry website under the tax section.

Publicly Traded Companies (in the US or abroad)

Publicly traded companies must file additional records on a regular basis. This is topic too extensive for this post, but the basic information is that the US Securities and Exchange Commission maintains a public database called EDGAR (the Electronic Data Gathering, Analysis, and Retrieval system).

Side Note for Foreign Companies: There is a website where you can look up the Securities Commission for foreign counties. Go to the International Organization of Securities Commissions and look up their members (there are several different types of members (ordinary, associate, affiliate) to look up.

If one is interested in a publicly traded company/corporation, you can start by searching for its name in EDGAR and looking at the most recent document titled “Annual Review.”

This document includes several pages of information largely in financial-speak, but for the amateurs it includes names and senior company officials and recent company developments such as court cases.

Past Illegal Activity

A good way to evaluate a company is to see if it has conducted any actions violating laws or regulations. The Violations Tracker is a single source that queries a plethora of US government databases identifying companies that violated local or national regulations.

Researching a U.S. Nonprofit

Registration Records

Nonprofit organizations register with the state government and this registration, similar to companies’ registrations, is most easily discovered by using Open Corporates. Alternatively one can find this information on the individual state government website. State databases for nonprofits are listed on Open Corporates’ list of registers.

In a nonprofit’s registration record, one can expect to find the names of directors/officers, a postal address, and the lawyer that was hired to register the nonprofit. Various other information may also be included in the record depending on the state where it was registered.

Tax Filings

The tax filings for most nonprofit organizations are publicly available at IRS.gov, but one is better off using Propublica’s Nonproft Explorer or Guidestar. The tax forms include the names of board members, key employees, their compensation, services rendered, and contractors used by the nonprofit.

This screenshot is an example of how Propublica’s Nonprofit Explorer displays tax information for one organization . This record is partially obscured for privacy.

This information is a summary of the tax record. To read all of the data (including the names of people involved in the nonprofit) one can click on the “990-T” button on the left.

See my other article for more in-depth research on non-profit tax filings and fraud.

How to Find U.S. Court Records

Court records in the U.S. are often public available but they are divided up into a myriad of public databases. It is easiest to focus on whether the court hearing the case is federal, state, or county (even though courts are further divided beyond those levels).

Terminology: A Case File refers to a file of every single legal document in the case, so basically everything. A Legal Opinion is a written explanation by the judge or judges that accompanies their ruling (just to be clear, the ruling is identified in this document).

The term Docket refers to different things depending on the jurisdiction, but it generally refers to a sort of schedule of court hearings. The Docket often refers to who is involved in the case, where and when it is happening and why. Much of this information is only recorded before the case occurs but in certain jurisdictions the Docket will entail the ruling and/or events of the case.

Federal Level

The best free resource for court records is Court Listener, a website for researching federal and state court opinions. The site is maintained by the nonprofit the Free Law Project, which exists largely for the stated purpose of enabling the public to access court records.

Judy Records is also a great resource for court records at any level.

PACER is another good resource that sort of straddles the divide between free and paid. PACER does require payment but generally at the end of the year they will dismiss the bill for anyone that spent less than about $15 that year. PACER is the official resource government resource for docket and case files of federal courts.

If you want to use PACER, you should definitely get the RECAP, a free browser extension that automatically searches for free copies of whatever record you are seeking in PACER. Specifically, it archives files from U.S. Federal District and Bankruptcy Courts. RECAP was created by Harvard and Princeton Universities and is maintained by the Free Law Project referenced above.

Dockets for federal cases are available for free here in a less than friendly format in the Federal Judicial Center’s Integrated Database. At the bottom of the screen you choose between Civil, Criminal, Bankruptcy, and Appeals and then choose “interactive mode” or download all of their data.

SIDENOTE: What are all of these kinds of courts and cases?

When you are looking for a specific person in court records you may, depending on the database, first have to choose which kind of case records to search before you can search for your person’s name.

Federal Courts – generally, you can expect a case to be in federal court if A.) it is a legal dispute between two people from two different states, B.) if it is a bankruptcy case, C.) a case of federal law, according to legal expert Marc Newman (https://millerlawpc.com/difference-state-federal-courts/).

State and County Courts – most importantly, you can expect criminal cases here (state and county laws are most likely to be the laws violated in general). But also family law cases, personal injury suits, contract disputes, and traffic violations, also according to Mr. Newman.

Circuit Court – the name is a bit deceptive, circuit courts are generally state and lower courts but they largely focus on civil and criminal cases. If you are looking for a civil or criminal case in a state or county database, you will likely need to choose to specify that you are looking in “circuit court” before you can choose “civil cases” or “criminal cases.”

Civil – is when two people or parties have a dispute. One party files a complain against the other and they go to court. The parties will settle in a private agreement or go to trial, where either a judge or jury (depending on the trial) will decide on a resolution for the two parties.

Criminal – is pretty straight forward. The government brings the case because it believes that someone has broken the law, we have seen various iterations on tv.

Bankruptcy – bankruptcy cases are only in federal courts. The point, according to The Federal Courts’ Official Website (https://www.uscourts.gov/statistics-reports/bankruptcy-courts-and-cases-journalists-guide) , is to consider giving the person or business that is in debt an opportunity to be relieved of all or part of that debt or to repay it in a different manner.

Appeals – the losing party in a case requests that it is reconsidered.

okay, SIDENOTE is over.

State Level

Court Listener, noted above, should be your first step for state courts because if it works you can avoid searching for the specific court database.

The National Center for State Courts maintains a list here of state websites for publicly available state courts’ records.

County Level

One can find individual county websites for county-level court records at Black Book Online. Just click on “County Public Records” at the bottom of the page, then choose the relevant state from the list that appears and then choose the county.

How to Research a U.S. Phone Number

This post (that is intended for educational purposes only) is about ways of investigating U.S. phone numbers by using different sources of information that are reliable but generally invisible to Google searches.

Why Are U.S. Phone Numbers Special?

U.S. phone numbers are unique, compared to other countries, because of the kinds of publicly available information affiliated with their registered owners.

Marketing databases, US public records, and the existence of people trying to profit off of that information have made US numbers uniquely useful from a research perspective (or, depending on your view, a stalker’s perspective).

The process for researching a US number involves using one piece of information to find a second bit of information that leads to a third and then again.

So the researcher looks up the number to find the owner’s name/address, other people that lived with them (roomates, current and former spouse), and their email address. Along the way, the researcher will also pick up a few more bits of information too.

This research will involve finding other phone numbers and their owners, which could be confused with the original phone number’s owner. For sake of clarity, the owner of the original phone will be referred to as “Lex” from here on out.

Where To Begin

The first and easiest step is to search the number in a people-searching websites, such as:

These sites were also addressed in a previous post (Find Email Addresses Linked to U.S. Phone Numbers).

These sites have access to large databases that link a phone number to its owner and their address. So if the number is listed at these sites the results will usually include, for starters, Lex’s name, home address, and possibly email address.

These results will often also include the Lex’s past addresses, the phones and names of others registered at those addresses, and a rough approximation of when all of those people had those phones and addresses. Sometimes these results are a jumble of names, numbers, addresses with only tenuous links. However, if a researcher spends a bit of time looking over this data it can often be possible to determine where and when Lex grew up, his siblings and parents, where he moved, who he lived with, and his current and former romantic partners.

What If There Were No Results?

If these sites gave you no results or conflicting results then there are a few alternative options that will at least find or confirm Lex’s name (which you still don’t know yet because you only have his phone number). These methods originate from episode 160 (click here to see it) of Michael Bazzell’s podcast, The Privacy, Security, and OSINT Show.

A.) You can lookup the phone number in a caller ID database on websites such as opencnam.com and calleridservice.com. The sites do require that you sign up for a free account. These websites will only give you the name of the person that owns the phone. However, anecdotal experience has shown that these sites ALWAYS had results.

Caller ID databases are a great way to confirm the owner’s name when you have conflicting information. Sometimes the people-searching sites mentioned above will provide conflicting results. This is often because one site identifies the phone’s current owner (Lex) while another site only identifies the previous owner of the same number. The owner identified in a caller ID website is usually the right one.

B.) Truecaller.com is another easy alternative but you do have to sign up for free. This is a interesting resource. The popular Truecaller app logs all of its users’ contacts. Once again, anecdotal experience suggests that there is a high likelihood that you will get results with this.

The website lets you search a phone number, like Lex’s, and if you get a result that means that Lex has the app or someone with Lex in their contacts list has the app. What is even more interesting is that when the website gives you the name of the phone’s owner, it is actually giving you the name that Lex’s associate had typed in their contacts list for Lex.

Maybe a coworker lists Lex as “Lex – IT guy,” or maybe Lex has a nickname and his friends call him “Lex Luther,” finally maybe a friend of his wife

C.) oldphonebook.com has a database of phone books from before 2015.

The Name

Now that you have the person’s name, you can use it to try to find their email. There are several websites that can identify someone’s email address based on the information you have obtained by this point. Specifically, their U.S. -based name, address, phone number. Try using the following:

search function for publicemailrecords.com

Now you will hopefully have an email address which should round out your research on this phone number.

Phone-Email Divide

One issue that can arise when you are researching an individual living in the U.S. is the Phone-Email Divide. If you have a phone number, at least in the U.S., you can use various people-searching websites to find additional information like the name and address. Similarly, an email address can be used to find affiliated social media accounts. But it is difficult to connect a phone number to an email, or vice versa. This post is about how to cross that gap between phones and emails.

The answer is to first use the email address to find a social media account that reveals the owner’s name. Once you have a name you can search it in a people-searching website that will find the phone affiliated with that name. This process also works in reverse.

People-Searching Websites

There are five people-searching websites in particular that can be used for this process. Each website has its own inputs (data you can search on) and outputs (results).

It is important to note that if you do not want your personal information listed on these sites, they each have an “opt out” option available.

True People Search (truepeoplesearch.com) is by far the most reliable site for researching a phone number. The site uses name, address, and phone number as search inputs or outputs. The site will sometimes give the person’s email as an output.

That’s Them (thatsthem.com) and Search People Free (searchpeoplefree.com) are not always consistent with their results but they use name, address, phone, and email as inputs and outputs. These people-searching websites have the obvious potential to solve the whole problem by linking a phone directly with an email, thus negating the need for the rest of this process. Therefore, it makes sense to start with these sites.

Xlek.com and Radaris.com will only let you search by name to find the phone, but not let you search in reverse. Public Email Records (publicemailrecords.com) uses email, name, and address as both inputs and outputs.

The Email

Epieos has created a new tool (click here) that runs finds an email’s Linkedin and Google accounts in addition to running the python script holehe to find websites where the email registered for an account.

There are a few things we can learn about an email aside from social media accounts. The website hunter.io can tell us if it is a real, functional email or not. The website emailrep.io will guess how long the email has been active.

If It Is a Work Email Address

If the email is a work email address, we can look up the domain to see where the user works. We can also do a “domain lookup” at the website Snov.io and it will lookup for (usually successfully) email addresses with the same domain. These emails essentially identify the user’s coworkers.

If the domain is in Snov.io’s pre-existing list of known domains, it will identify the company and provide information from LinkedIn on individual employees. You can also do a domain search at Hunter.io and Normshield to find employees. If you are interested, this subject is addressed in greater detail here.

What Next? Use Breach Data Websites

Breach data websites will let you search if an email address (or other personal information) was listed in a specific data breach. For our purposes here, many data breaches are not useful. However, for example, there was a Linkedin data breach in the past and therefore if you search for an email address and find it was listed in that databreach, that means the email was registered to an unidentified Linkedin account. Now you know to look for an account in Linkedin for that email.

search function in haveibeenpwned listing some known data breaches that it searches

You can use these websites that may find additional accounts that were not discovered by Holehe. There is a lot of overlap between these sites so I would only search one or two.

How to Find Specific Accounts

Now that you hopefully have a list of social media sites where the email is/was registered, you can use a few tricks to find the specific accounts.

Please note, I did not create any of these methods. I am merely listing them together to make it easier to use them all. I will identify specifically who deserves the proper credit and I encourage you to follow them online.

Find Linkedin Account

Side Note: Remember that a LinkedIn user can see who looked at their account.

If the email address is registered to a Linkedin account we can find the specific address and avoid having to search around for it. One of the default settings of Linkedin is to allow others to find you based on your email. Linkedin does this to encourage people to use its paid services. But it is possible to take advantage of this opening without needing to pay.

Many sites inaccurately report that a Linkedin account can be identified using the url “linkedin.com/sales/gmail/profile/viewByEmail/[example email address here]”. This no longer works. The process below that currently works might similarly stop if LinkedIn decides to block it.

A new, working method was discovered by Steve Adams of IntelligenceBySteve.com, click here to see his article (you are highly encouraged to follow his website). Below is a shortened version of what he wrote but is largely verbatim.

  1. Create a Microsoft account at “https://account.microsoft.com/account?lang=en-us”
  2. Sign in to the web-based version of Outlook with the url “https://outlook.live.com/owa/” and using your Microsoft account.
  3. Within Outlook, go to your contacts section at “https://outlook.live.com/people”
  4. Create a new contact by selecting “Add a contact” and add the email address to its details. [sidenote from search-ish: In the contact details type a random unrelated letter, like “x”, as the name. This avoids confusion later, because if the site can’t find the Linkedin account it will show a list of guesses based on the name.]
  5. Click on the profile photo or letters, next to your new contact and within the new sub-window select “LinkedIn”.
  6. Click “Continue to LinkedIn” on the pop-up and then sign in to your LinkedIn account, then finally click “Accept”. [end of info from Steve Adams]

Find More Info with LinkedIn Account URL

Once you have identified the LinkedIn account , you can copy and paste the account page’s url into the search function at Rocketreach.co. As seen below, its search function use a Linkedin url, among various other criteria.

This search on Rocketreach can potentially find phone numbers, email addresses, and social media accounts that are not publicly connected to the Linkedin account holder.

Find Their Facebook Account

CREDIT WHERE IT IS DUE: This process was explained by Technisette on the OsintCurio.us webcast from December 19th 2019, titled “20191223 The OSINT Curious Special Facebook Webcast”, available on Youtube (click here) where Kirby (website, Twitter: @kirbstr) and Technisette (website, Twitter: @technisette) explain updated methods for investigating on Facebook. You are highly encouraged to follow Kirby, Technisette, and OsintCurious.

The first step is to log into facebook and click the 3 horizontal lines that mean the “more” option, then click “pages” and then ” + create a new page”. After you’ve created a page take these steps

  1. click on “pages” once again and then click on your page, which should appear.
  2. click on the page you created
  3. click “settings”
  4. “page roles” and you will get to this page below:

5. “assign a new page role”

6. type in the email address below that

7. if a facebook account appears in the drop down menu, click on it. (if no facebook account appears, sorry but that means you have hit a dead end with this process, it is time to try something else)

8. click “network” tab

9. in the search bar that is slightly down and to the left of the “network” tab, typed in the word “account” or “ANYONE_EXCEPT_VERIFIED_ACCOUNT”

10. That should filter the results to the ones with “ANYONE_EXCEPT_VERIFIED_ACCOUNT”. click on the bottom one in the list and a “preview” tab should appear.

11. look under the “preview” tab and the account’s name and ID number should be in there (if that information is not in the preview tab, try clicking the other results in the list, it should be in one of those results).

12. Verify that you have found the account info by pasting the ID number at the end of the url “facebook.com/” and this should bring up the account that you saw in the drop down menu from step 7.

If the facebook account is completely private, there is a nice guide at osintcurio.us for researching private accounts, click here.

Google Account

CREDIT WHERE IT IS DUE: I learned of the following by listening to the OsintCurio.us podcast/webcast #45 that you can access here. I give more specific credit for individual developments where it is due in the paragraphs below.

EPIOS (https://epieos.com/) created a google account finder (click here). If someone has a google account this will find it. The results generally include their real name, a general location down to the city level, and any reviews they posted on Google Maps. This last one is a bit weird but I promise you that it is surprisingly common that people leave random reviews of places and businesses that they have used and are often revealing about the person or their location.

If you are researching an email address that is gmail, you can assume they have a google account. Other email addresses also often have associated google accounts.

ADDITIONAL RESOURCES AND CREDIT: You can also use the Python code GHUNT that is located here, on the Github account for MXRCH. In order to understand the role of Google IDs in Osint and how to obtain and use them more manually, see these articles here and here by Sector35 (website, Twitter: @Sector035)

Okay that is it, Good Luck!

Researching U.S. Property Records

Property records can be found in deep web databases that are located in the local county government websites in the “County Tax Assessor” section under the heading “Property Search.” This is true for the vast majority of U.S. counties.

A quick way to find the database is to google the name of the county and “tax assessor,” because the county tax assessor maintains the records. This should lead you to webpage in the county government website where you have the option to input an address.

A directory of all of these U.S. county tax assessor databases can be found at Black Book Online.

PUBLIC ACCOUNTABILITY PROJECT

The best source for this information is the Public Accountability Project. This website allows you to conduct one search in one place, and most importantly it also gives you the ability to search on a name. The county tax assessor databases only allow you to search on the address, which is obviously limiting if you do not have the address.

Find Email Addresses Linked to U.S. Phone Numbers

One issue that can arise when you are researching an individual living in the U.S. is the Phone-Email Divide. If you have a phone number, at least in the U.S., you can use various people-searching websites to find additional information like the name and address. Similarly, an email address can be used to find affiliated social media accounts. But it is difficult to connect a phone number to an email, or vice versa. This post is about how to cross that gap between phones and emails.

The answer is to first use the email address to find a social media account that reveals the owner’s name. Once you have a name you can search it in a people-searching website that will find the phone affiliated with that name. This process also works in reverse.

People-Searching Websites

There are five people-searching websites in particular that can be used for this process. Each website has its own inputs (data you can search on) and outputs (results).

It is important to note that if you do not want your personal information listed on these sites, they each have an “opt out” option available.

True People Search (truepeoplesearch.com) is by far the most reliable site for researching a phone number. The site uses name, address, and phone number as search inputs or outputs. The site will sometimes give the person’s email as an output.

That’s Them (thatsthem.com) and Search People Free (searchpeoplefree.com) are not always consistent with their results but they use name, address, phone, and email as inputs and outputs. These people-searching websites have the obvious potential to solve the whole problem by linking a phone directly with an email, thus negating the need for the rest of this process. Therefore, it makes sense to start with these sites.

Xlek.com and Radaris.com will only let you search by name to find the phone, but not let you search in reverse. Public Email Records (publicemailrecords.com) uses email, name, and address as both inputs and outputs.

Email to Social Media

There are several guides for using an email account to find affiliated social media accounts. Specifically, there are three methods (see linked guides that are effective as of September 2020) to do a reverse search that will find if an email address is affiliated with a LinkedIn page or Facebook account. Presumably/Hopefully the social media accounts will enable you to find the owner’s name. And of course it is always a good idea to just Google it.