10 Free OSINT Tools Every Investigator Should Know

Most OSINT work at the entry level runs on free tools. Paid platforms matter for enterprise due diligence and large-scale social media monitoring, but the techniques you see in published investigations from Bellingcat, ICIJ, or the Epstein Revealed investigation series rely overwhelmingly on publicly available, no-cost resources.

These ten belong on every investigator's bench. Each links to a full tutorial.

1. Wayback Machine

Internet Archive's Wayback Machine retrieves historical snapshots of web pages. It is the single most-used tool in published OSINT because live web content changes, disappears, or gets rewritten.

Typical query pattern:

https://web.archive.org/web/*/example.com/about*

Use it when a page has been edited, when a domain has changed hands, or when you need to prove what a site said on a specific date. Always save a snapshot yourself ("Save Page Now") before relying on one.

2. WHOIS and DNS Lookup

WHOIS resolves domain registration data; DNS lookups return current infrastructure records. Command line remains faster than web forms for bulk work.

whois example.com
dig example.com ANY +noall +answer

Registrars increasingly mask registrant data behind privacy services, but registration dates, nameservers, and historical WHOIS (via commercial databases with free tiers) remain useful pivots.

3. Google Dorking

Advanced search operators target specific file types, domains, and page structures. The syntax is unforgiving but effective.

site:sec.gov filetype:pdf "beneficial ownership" "Meridian"
intitle:"index of" "passwords.txt"
site:linkedin.com/in "former DOJ" "compliance"

Google throttles aggressive queries; rotate with DuckDuckGo, Bing, and Yandex for coverage.

4. Shodan

Shodan indexes internet-connected devices by banner, port, and service. Free accounts get limited queries; academic email gets more.

product:"nginx" country:"DE" port:443
org:"Example Corp" http.title:"login"

Shodan is essential for infrastructure attribution — tying a domain to a hosting pattern, identifying misconfigured services, mapping an organization's public footprint. It is not a hacking tool; it reports what the device itself broadcasts.

5. Maltego Community Edition

Maltego CE is the free tier of the link-analysis standard. Limits: 12 entities per transform, local graphs only. For small investigations that is enough.

Maltego shines when you need to visualize relationships — shared registrants across domains, co-located companies, overlapping officer lists. The graph is only as good as your entity resolution discipline in the analysis phase.

6. Reverse Image Search (Yandex, TinEye, Google Lens)

Reverse image search identifies where an image has appeared before. Yandex consistently outperforms Google on faces and non-Western sources; TinEye is stronger for exact-match duplicate detection.

Workflow:

1. Crop the image to remove backgrounds that confuse the matcher.
2. Run through all three engines; results rarely overlap.
3. Check EXIF data before the image lost it to platform re-encoding — see /tools/metadata/.

7. SpiderFoot

SpiderFoot automates a long list of OSINT modules against a target (domain, IP, email, name) and produces a consolidated report. The open-source version (SpiderFoot HX is commercial) runs locally:

python3 sf.py -l 127.0.0.1:5001

Treat SpiderFoot as a fast reconnaissance layer — it tells you where to look harder. Do not treat its output as finished analysis.

8. theHarvester

theHarvester pulls email addresses, subdomains, hosts, and employee names from search engines and public sources. Useful in the collection phase for mapping an organization's surface.

theHarvester -d example.com -b all -l 500

Results are noisy. Deduplicate and verify before acting on anything.

9. OSINT Framework

osintframework.com is a curated tree of OSINT resources by category. It is not a tool itself but a directory — useful when you hit a source type you have not worked with before (say, Vietnamese court records or Brazilian corporate filings) and need a starting point.

Use it as an index. Do not assume every linked resource is current; dead links are common.

10. Hunter.io

Hunter.io finds professional email addresses associated with a domain and verifies deliverability. Free tier: limited monthly searches.

hunter.io/search/example.com

Useful for identifying likely contacts at a target organization before sending FOIA or press inquiries. Confirmation that an email is deliverable is not confirmation that a person works there — cross-reference with LinkedIn, conference speaker lists, and court filings.

What This Bench Does Not Cover

These ten handle most entry-level work. They do not cover:

• Geospatial analysis (Sentinel Hub, Mapillary, Google Earth Pro)
• Cryptocurrency tracing (Chainalysis Reactor is paid; free alternatives are partial)
• Structured document review — Subthesis research tools handle legal-grade document triage
• Large-scale social media monitoring (Brandwatch, Talkwalker — both paid)

For those, see the full tool directory.

Pairing Tools With Phases

A rough mapping to the methodology framework:

• Planning: OSINT Framework (to scope sources)
• Collection: Wayback Machine, WHOIS, Google dorking, Shodan, theHarvester, Hunter.io, reverse image search, SpiderFoot
• Analysis: Maltego
• Reporting: your own template; see /methodology/reporting/

No single tool owns a phase. The skill is knowing which one answers the question in front of you.

A Warning on "OSINT Toolkits"

Large curated Docker images and all-in-one VMs ("OSINT Buster," "Trace Labs VM," etc.) are convenient but produce over-broad collection if you run every module against every target. Investigators who build their own toolkit — adding each tool only when a case requires it — stay closer to the planning phase and produce cleaner reports.

Start with these ten. Add the eleventh only when an investigation actually demands it.