Email addresses often serve as a starting point in OSINT investigations. Whether you're conducting a person of interest investigation, due diligence, threat intelligence, or general research, understanding how to effectively investigate email addresses can uncover a lot of information.
So, in this blog, we’ll go back to the foundations of OSINT – explore free practical online tools and techniques for an email investigation.
Our approach is straightforward:
Search email addresses across available tools to reveal potential information.
Move on quickly if initial searches yield no results.
Focus on verification and pivot points when information is found.
While not every tool will yield results for every email address, each search represents a potential avenue of inquiry. With practice, this process becomes quick and intuitive, allowing you to systematically build an intelligence picture of the entity behind the email.
What can an email address reveal?
Associated accounts and services.
Data breaches and compromised information.
Domain relationships and business connections.
Digital footprints across various platforms.
Naming conventions that might lead to other accounts.
Before diving into online tools, let's explore how to effectively use search engines for email investigations. This can often reveal valuable information about an email address.
The most straightforward approach is using quotes for exact matches, e.g., the full email in quotation marks, written like: "email@example.com". This helps to potentially find mentions of the email across social media, forums, websites and online documents.
Alternatively, combine what you currently know, with other relevant keywords to try and uncover more information – this might be useful if you are looking for a link between a person and an organisation.
"email@example.com" AND CV OR resume
"email@example.com" AND leaked OR breach
@example.com AND “name”
“name” AND “organisation” AND contact OR email
So, let’s take a (redacted) example. I have searched for a person’s first and last name, and I am looking to see if I can pick up any web page that has both the name and the word ‘email’, e.g., "john smith" AND email
I got a hit on a site called https://rocketreach.co/ which is essentially a data broker site that collects your data from various online platforms. On this site, it provided three partial email addresses.
I knew the person's name, and now I know that they have a @yahoo.co.uk email address. So, let's run another search (if RocketReach can find it, so can we, right?). Here, we can practice a simple, but effective search.
In this case, it picked up the record on X when the email was included in a tweet. Now I have another email to search and collect more information on (to re-run through all the tools, and I also have an X account to investigate).
But before we do that, let’s consider Operational Security (OPSEC).
When using free email investigation tools, it's essential to understand the broader operational security implications. While these tools are valuable for OSINT work, they also present risk. As most free tools collect and store search data, including:
Search queries
IP addresses
Device information
Network details
Timestamps of searches
Consider this scenario: A law enforcement investigator searches for an email address using several free tools from their office network and official device. The search itself immediately reveals:
Which agency is conducting the investigation (via IP and network data).
The target of interest (via the searched email).
The timing of investigative activity (when you hit enter, and your time zone setting).
Potential investigation scope (via cross-site tracking of subsequent searches).
Ask yourself: Are you comfortable with a free tool knowing exactly which agency is investigating which targets? Have you considered whether cross-site trackers might follow your investigation path as you move between different tools and searches? Is this something you are worried about?
So, how do you protect you and your organisation?
Use a dedicated research environment, such as a Virtual Machine or a stand-alone laptop that is not connected to your organisational network.
Compartmentalise your research (different browsers, clearing cookies and cache etc.)
Network security (should you be conducting sensitive searches on corporate networks and internet connections?)
But you might be asking, why should I care? And it is a great question.
Targets may detect your interest - causing them to delete accounts, alter behavior, or create false leads.
Your methods become exposed - revealing capabilities and techniques.
Legal complications can arise - if your evidence collection methods are questioned.
Organisational reputation suffers - exposing priorities and potential public or media scrutiny.
After we consider our OPSEC, let’s get into the tools.
Epieos
This is a great resource. It validates whether an email address is linked to various platforms, including Google. It provides insights without alerting the user. You can enter any email to get a result. In the example, we are using the free version.
1. Enter the email address.
2. Complete the CAPTCHA verification.
3. Review the initial results for associated accounts.
In the example, we are using the free version, so some information will be blurred.
If the person behind has linked their email to Google (or has a gmail account), has a profile picture and enjoys leaving reviews, and posting photos of their lunch on the local café Google Maps business information, we are going to have a good time.
Locate the Google Maps URL in the results.
Open the Maps URL in a new tab.
Review the location history through reviews and photos.
Document patterns of life and frequently visited locations.
We can also obtain higher quality profile pictures, which can be extremely useful. This opens other avenues of enquiry, like reverse image searching.
Right-click the profile picture and open in new tab
Go to the image URL:
- the URL starts with https://lh3.googleusercontent.com/
- it ends with something like: =w41-h41-p-rp-mo-br100
To increase image quality, delete everything from the '=' onwards in the URL. This removes Google's compression parameters.
If the image size increases successfully, but the quality does not, this simply means the person uploaded an image of poor quality.
Remember to document all findings and use them as pivot points for further investigation. Each piece of information can lead to additional enquiry pathways through other platforms and tools.
Have I Been Pwned (HIBP)
It's pronounced as "poned" - it originated from a misspelling of 'owned', simply putting a 'p' in front. Now that we have that out of the way, this tool checks if an email address appears in data breaches. Before we go further, it's important to recognise two key points - legality and ethics. Why? HIBP utilises data obtained from unauthorised breaches. Some organisations prohibit the use of such data in investigations for legal and ethical reasons. Always verify your organisation's policies and ensure proper authorisation before using breached data in your research.
This tool serves two purposes: it helps you protect yourself (by identifying when you need to change passwords) and it can reveal information about a person of interest - including their hobbies, locations, and social media presence.
For OSINT investigations, HIBP reveals which services the email owner has used, indicates when accounts were created (based on breach dates), and helps assess security awareness and digital footprint. In the instance above, this email was found in three different breached sites - all Indonesian. If I wasn't sure where this person was located, I now have a solid lead.
Domain Investigation Tools
Now that we've explored HIBP for breach data, let's turn to domain investigation tools. While these next tools may seem similar at first glance, each accesses different databases and can reveal unique pieces of information. When using multiple tools, remember two key principles:
Different results = more avenues of enquiry
Different results = opportunities to verify and cross-reference findings
ViewDNS
Let's start with ViewDNS, a website that's been around for a long time and features many useful tools in one spot. It's one of our go-to resources. You can find domain names via email address, discover websites hosted on a given IP, identify sites using specific mail servers (though this is less useful for shared hosting), perform reverse lookups and much more. It's an excellent one-stop-shop for starting an investigation. We'll focus on identifying domains registered with an email account using: https://viewdns.info/reversewhois/
Search options include:
A full name (e.g., John Smith) - though common names may yield too many results
A full email address
A partial email address (e.g., @nike.com) - works only for domain-specific emails, not generic providers like @gmail.com. Note: searching large organisations like Nike will return numerous results, so try your own or a smaller organisation first to see what unexpected websites might appear.
Whoxy
Next up is https://www.whoxy.com/. When you navigate to this site, make sure you select the drop-down menu and hit 'email'.
Using Whoxy:
First, look for any website hits.
If found, focus on historical data by clicking the site link (see orange arrow below).
On the page that appears, scroll down to the "who owned 'this' in the past" section.
If historical data is available, this provides additional information for your investigation.
This leverages WHOIS information. Due to EU GDPR regulation changes, this data is now limited - which makes any available historical information particularly valuable.
Whois Freaks
Our next tool, https://whoisfreaks.com/tools/whois/reverse/search, is similar to Whoxy but worth using alongside it. Different tools access different databases, so using multiple sources helps ensure comprehensive coverage. For example, in our test search, Whoisfreaks returned one more result than Whoxy - though this could be reversed with different searches.
To dig deeper:
Click the link under 'Domain Name' for additional information
Take the domain and use it in the 'Historical' lookup tool
Review any results - if nothing appears, move on; if information is found, verify and use as a pivot point
Consider checking the Wayback Machine for historical site content, but remember to maintain OPSEC (visiting the live site directly will leave a digital footprint for the administrator)
Another useful resource is https://www.skymem.info, which allows you to search an organisation's domain to find associated email addresses. While this is a free tool, it has limitations - you'll need to pay to access the complete list of email addresses linked to a domain. However, the free version can still provide valuable initial insights.
For Skype connections, try https://www.vedbex.com/tools/email2skype. This straightforward tool checks if an email address is associated with a Skype account. It can reveal valuable information like the account holder's full name and, sometimes, location details - making it a quick but effective way to discover additional personal details.
Using AI to Generate Email Permutations
In our newest course, Leveraging Generative AI for OSINT, we explore how artificial intelligence can solve common investigative challenges. One application is handling information gaps in email investigations. While traditional tools have their place, AI can help us work smarter and faster when dealing with partial or obscured email addresses.
So, have you ever encountered a partially redacted email address while investigating a person of interest? These often appear in documents with portions obscured by asterisks or other characters. While traditional email permutation tools like Mail Meteor or Metric Sparrow can help, they sometimes produce unrealistic or improperly formatted results.
Let's look at a practical example. Say we encounter this partially redacted email:
To help streamline the process of identifying potential email variations, AI can help generate contextually relevant options. So, getting useful results from AI requires clear, contextual prompting. When generating email variations, provide the AI with background context such as:
Industry or profession (in this case, the health industry)
Known naming conventions.
Company email patterns.
Professional titles or roles.
This approach helps the AI generate more relevant and realistic possibilities while avoiding obviously incorrect combinations.
Remember, verification is crucial. Your process should include:
Filter out obviously incorrect suggestions.
Use email verification tools to check viable options (like Epieos)
Document both successful and unsuccessful attempts.
Test suggestions against known patterns.
The key advantage of AI over traditional permutation tools is its ability to understand context and generate more nuanced suggestions. However, always verify results through established tools and techniques - AI is a helper, not a solution in itself. It is important to note that this technique may not work, as it is harder to verify.
Key Takeaways
While tools and platforms constantly evolve, the core investigative methodology remains consistent:
Search systematically across multiple sources
Verify every piece of information you find
Follow new leads from each discovery
Build your intelligence picture progressively
Remember: The more online presence you uncover, the more pieces of the puzzle you have to work with.
Need to expedite your searches while maintaining OPSEC? Consider NexusXplore, our all-in-one investigation platform. It provides a secure research environment with integrated email investigation tools, helping you maintain attribution security while streamlining your workflow. Ease of access to data and security in one place!
To support your OSINT collection and analytical capabilities, contact us at info@osintcombine.com to learn more about NexusXplore or our training courses.