Real-Time OSINT: Tools, Techniques & Geolocation from Photos

by

OSINT (Open Source Intelligence) is the art of finding information about targets using only publicly available sources. In 2026, the volume of digital footprints people leave behind has never been larger — social media, leaked databases, satellite imagery, domain registrations, and metadata inside files all contain intelligence waiting to be discovered. This guide covers practical real-world OSINT techniques, tools, and commands used by investigators, red teamers, and journalists.

What is Real-Time OSINT?

Real-time OSINT means gathering intelligence about a target right now — not just from historical databases, but from live sources: social media posts, live webcams, real-time flight trackers, active certificate transparency logs, and freshly indexed content. The goal is to build a picture of a target as it exists at this moment.

Part 1: Person and Username Intelligence

Username Enumeration Across Platforms

Most people reuse usernames. One username can unlock profiles across dozens of platforms — GitHub, Twitter/X, Reddit, Instagram, TikTok, Steam, and more.

# Sherlock — search username across 300+ sites
git clone https://github.com/sherlock-project/sherlock
cd sherlock
python3 sherlock target_username

# Example output:
[+] Twitter: https://twitter.com/target_username
[+] GitHub: https://github.com/target_username
[+] Reddit: https://www.reddit.com/user/target_username
[-] Instagram: Not Found
# Maigret — deeper profile research with data extraction
pip install maigret
maigret target_username --all-sites
# Generates HTML report with all found profiles

Email and Phone Intelligence

# Holehe — check if email is registered on sites (no password needed)
pip install holehe
holehe target@gmail.com

# h8mail — check email against breach databases
pip install h8mail
h8mail -t target@gmail.com

# theHarvester — gather emails, subdomains, IPs from public sources
theHarvester -d targetcompany.com -b google,bing,linkedin,twitter

# Example theHarvester output:
# [*] Emails found: 12
# john.smith@targetcompany.com
# admin@targetcompany.com
# [*] Hosts found: 8

Part 2: Domain and Infrastructure Intelligence

WHOIS and Historical Domain Data

# WHOIS lookup
whois targetdomain.com

# Historical WHOIS (who owned the domain before?)
# Use: viewdns.info/whoishistory or domaintools.com

# Find all domains registered to the same email
# Use: viewdns.info/reversewhois/

# DNS history — what IPs did this domain point to?
# Use: securitytrails.com (free tier available)

Subdomain Enumeration

# Amass — comprehensive subdomain discovery
amass enum -d targetcompany.com -passive

# Subfinder — fast passive subdomain discovery
subfinder -d targetcompany.com

# Certificate Transparency logs — find subdomains from SSL certs
# https://crt.sh/?q=%25.targetcompany.com
curl "https://crt.sh/?q=%25.targetcompany.com&output=json" | python3 -m json.tool | grep "name_value"

# Shodan — find internet-exposed infrastructure
# Online at shodan.io or via CLI:
shodan search "org:TargetCompany"
shodan host 203.0.113.10

Google Dorking — Advanced Search Operators

Google dorking is using advanced search operators to find specific information that is publicly indexed but not easily findable through normal searches.

# Find files exposing credentials on a domain
site:targetcompany.com filetype:pdf "password"
site:targetcompany.com filetype:xlsx "password"

# Find login pages
site:targetcompany.com inurl:login

# Find exposed configuration files
site:targetcompany.com ext:env OR ext:config OR ext:ini

# Find cameras and IoT (be ethical — view only, never touch)
intitle:"Live View / - AXIS" inurl:view/view.shtml

# Find exposed databases
site:pastebin.com "targetcompany.com" "password"

# Find cached employee data (LinkedIn profiles)
site:linkedin.com "targetcompany.com" "engineer"

Part 3: Geolocation — Finding a Location from a Photo

This is one of the most powerful and fascinating OSINT skills. Given a photo of a building, fence, road sign, or landscape, skilled investigators can pinpoint the exact location on Earth. Here is how it works systematically.

Step 1 — Check EXIF Metadata First

Most smartphone photos embed GPS coordinates in EXIF metadata. Many people share photos without knowing this information is hidden inside.

# Extract all EXIF data from a photo
exiftool photo.jpg

# Look specifically for GPS fields:
exiftool -GPS* photo.jpg
# If lucky you'll see:
# GPS Latitude: 48 deg 51' 30.12" N
# GPS Longitude: 2 deg 17' 40.50" E

# Extract GPS from all images in a directory
exiftool -r -GPS* /path/to/photos/

# Convert GPS from degrees/minutes/seconds to decimal:
# 48° 51' 30" N = 48 + (51/60) + (30/3600) = 48.8583

Step 2 — Reverse Image Search

If EXIF is stripped, use visual reverse image search to find where a photo has appeared before — other websites, news articles, or social media might have previously geotagged the same location.

  • Google Images — Upload photo or paste URL, click “Search by image”
  • Yandex Images — Often better than Google for buildings and outdoor scenes in Eastern Europe, Asia
  • TinEye — Specialized reverse image search, excellent for finding original sources
  • Bing Visual Search — Good for landmarks

Step 3 — Visual Clue Analysis

When no metadata exists and reverse search fails, you analyze visual clues in the photo itself. This is what Bellingcat and similar investigative groups do routinely:

  • Language on signs — Cyrillic = Russia/Eastern Europe, Arabic = Middle East/North Africa, etc.
  • License plates — Each country/region has a distinctive format and color scheme
  • Architecture style — Soviet-era concrete blocks vs. Ottoman stone vs. American suburban frame homes
  • Vegetation — Palm trees (tropics/Mediterranean), birch trees (northern Europe/Russia), eucalyptus (Australia/California)
  • Electrical infrastructure — Power line attachment styles, transformer box designs are often country-specific
  • Road markings — Left vs. right hand traffic, road surface materials, curb styles
  • Sun position and shadows — Using the sun angle you can determine approximate latitude and time of day
  • Terrain and mountains — Distinctive peaks can be matched against elevation databases

Step 4 — Satellite Verification with Google Earth

Once you have a candidate location from visual clues, verify it with satellite imagery:

# Google Earth Pro (free desktop app):
# 1. Navigate to suspected coordinates
# 2. Use "Street View" to compare ground-level view with photo
# 3. Use historical imagery (clock icon) to see past satellite images

# GeoGuessr technique — shadow angle calculation
# If you can see a shadow:
# Shadow angle from vertical = 90 - sun elevation
# Sun elevation at noon = 90 - |latitude - solar declination|

# Useful tools for verification:
# suncalc.org — sun position at any location and time
# peakfinder.org — identify mountains from any viewpoint
# what3words.com — 3-word location codes on some signage

Real Example: Geolocating a Fence Photo

Suppose you have a photo of a metal fence with a road behind it. Here is the workflow:

  1. Run exiftool fence.jpg — no GPS data found
  2. Upload to Yandex Images — no matches found
  3. Analyze: The fence has diagonal metal bars typical of Soviet-era construction. Road lines are white. A power pole is visible — the insulator style is typical of Russian/CIS grid infrastructure. Signage in Cyrillic. Street trees are birch.
  4. Narrow to Russia or Kazakhstan, urban area
  5. Find a distinctive building corner visible in background — matches a specific architectural pattern
  6. Open Google Maps, search candidate cities, use Street View to systematically check streets matching the visual layout
  7. Find exact location and verify with building alignment, shadow direction

Part 4: Social Media Intelligence

# Twitter/X intelligence (no auth needed for many operations)
# Twint (archived but still works):
twint -u target_username --media        # all media posts
twint -u target_username -g "48.8566,2.3522,10km" # geolocated tweets

# Instagram — use Osintgram (educational use only)
git clone https://github.com/Datalux/Osintgram
python3 main.py target_username
# Commands inside: mediatype, photos, videos, tagged, followers

# LinkedIn intelligence (no special tools needed)
# site:linkedin.com/in/ "targetcompany"
# This reveals org structure, employee names, job roles, technologies used

Part 5: The OSINT Framework

osintframework.com is an interactive map of virtually every OSINT resource available, organized by category: people, usernames, email, IP, domain, images, social networks, documents, geospatial, and more. When you need a specific tool for a specific type of intelligence, this is the first place to check.

Automated OSINT Frameworks

# Maltego (free Community Edition)
# Visual link analysis — connects people, domains, IPs, emails visually
# Download at maltego.com

# SpiderFoot — automated OSINT across 100+ data sources
pip install spiderfoot
python3 sf.py -l 127.0.0.1:5001
# Then open browser at http://127.0.0.1:5001

# OSINT Industries (SaaS) — aggregate reverse search on email/phone
# https://osint.industries — free tier available

Ethical and Legal Boundaries

OSINT is legal when you are accessing publicly available information. The line is crossed when you access private systems, use information to stalk or harass, or aggregate data in ways that violate privacy laws (GDPR in Europe, CCPA in California). Always ask: Is this information truly public? Am I authorized to collect it? What will I do with it? Legitimate uses include journalistic investigation, corporate due diligence, red team recon with written authorization, and academic research.