In your forensic investigations, an email address may be the only lead you have in a case. The benefit to you in searching an email address (compared to usernames) is it allows you to achieve better results at a faster pace in your investigations.

 


The amount of information available about a particular e-mail address can vary widely. This depends on a number of different factors, such as

  • How old the e-mail address is.
  • How widely the owner has published it on the internet.
  • Whether the provider is a common e-mail provided like Gmail or Protonmail, or whether the e-mail address is tied to its own company domain name.

Search Engines

The first place to begin the search for an email address will be the search engines. Searching this address within quotation marks on the major search engines will yield good results. This should identify web pages which include the exact details within either the content or the 
source code. This may yield false positives but it should provide quick evidence of the target account’s exposure.

Let us conduct an example with ‘[email protected]’ as the target email address. You could place the email address within quotes and execute manually, or use the following direct search URLs.

https://google.com/search?q="[email protected]"
https://bing.com/search?q="[email protected]"
https://yandex.com/search/?text="[email protected]"


You could also search the username portion of the email address to see if it is in use within other providers such as Facebook, Instagram, and so on. You could place the username within quotes and execute manually, or use the following direct search URLs.

https://google.com/search?q="josephmoronwi"
https://bing.com/search?q="josephmoronwi"
https://yandex.com/search/?text="josephmoronwi"
  

 The site and intext search modifier can also be used to find webpages where the e-mail address appears as a string.

site:target_company intext:[email protected]
    
intext:”target-email" filetype:pdf


Email Verification

When searching for a target by email address, it is possible you obtain no results. If this happens, you need to consider whether the email address you are searching is valid. It is conceivable that the email address was mistyped or a character is missing. It behooves the investigator at this point to verify the validity of such email address.

Emailable

There are several websites online that claim to be able to verify the validity of an email address. Many of the free web-based email providers do not support these sites. One service that stands out from this crowd is emailable.

The sole purpose of the service is to identify if an email address is active and currently being used. After entering an email list, you will be presented with immediate results which will identify if the addresses are valid or invalid. Further information will identify potential issues with the address.

A look into one of the email address on the list reveals the following


[email protected]

95
  • ?
  • 0
  • 1
  • 80
  • 100

General

Full Name


Gender


State


Reason

ACCEPTED EMAIL

Domain


Numerical Characters

0

Unicode Symbols

0

Attributes

Free

Yes
0.95x

Role

No

Disposable

No

Accept-All

No

Tag

No

Mail Server

SMTP Provider


MX Record

mx01.mail.com

Implicit MX Record

No

This indicates that the domain provided for the email (programmer.net) is configured for email and the server is active. The 
results confirm it is not a free webmail account nor a disposable temporary account. I find this tool to be more reliable than all the others when searching email addresses, but we should always consider alternatives.

Emailrep

This is similar to a verification service, but with added features. Below is an actual search result, and I provide an explanation after each detail [within brackets]. 

curl emailrep.io/[email protected]
{
    "email": "[email protected]",        [email address supplied]
    "reputation": "none",                          [Likelihood to be a real email address]
    "suspicious": true,                            [Indications of spam or malicious use]
    "references": 0,                               [Number of online references]
    "details": {
        "blacklisted": false,                      [Blocked by spam lists]
        "malicious_activity": false,               [Known phishing activity]
        "malicious_activity_recent": false,        [Known recent phishing activity]
        "credentials_leaked": false,               [Password present within data leaks]
        "credentials_leaked_recent": false,        [Password present within recent leaks]
        "data_breach": false,                      [Address present within known breaches]
        "first_seen": "never",                     [Date first seen online]
        "last_seen": "never",                      [Date last seen online]
        "domain_exists": true,                     [Whether domain is valid]
        "domain_reputation": "n/a",                [Reputation of domain]
        "new_domain": false,                       [Domain recently registered]
        "days_since_domain_creation": 9763,        [Days since the domain was registered]
        "suspicious_tld": false,                   [Whether top level domai is fake]
        "spam": false,                             [Marked as spam]
        "free_provider": true,                     [Free provider such as Gmail]
        "disposable": false,                       [Disposable provider such as Mailinator]
        "deliverable": true,                       [Inbox able to receive mail]
        "accept_all": false,                       [Address is a catch-all]
        "valid_mx": true,                          [Domain possesses an email server]
        "primary_mx": "gmail-smtp-in.l.google.com",[Email sever of domain]
        "spoofable": true,                         [Dmarc email security enabled]
        "spf_strict": true,                        [Domain email security enabled]
        "dmarc_enforced": false,                   [Dmarc email security enabled]
        "profiles": []                             [Profiles associated with email]

    }
}

Additional email verification options include Verify Email and Email Hippo. Both services provide minimal data, but may identify something missing from the above superior options. Searching the target email address, I 
received "OK" as a response. 

Hunter

Hunter advertises the ability to display email addresses associated with a specific domain. However, the "Verifier" tool can also be valuable. This URL allows query of an individual email address. It immediately provides details similar to the above two services such as the validity of the address. From there, it displays any internet links which contained the email address within the content at some point. It should be noted that it only allows the search of professional email addresses.


Valid             This email address can be used safely.
Format            Valid
Type              Professional
Server status     Valid
Email status      Valid

We found 10 sources for [email protected] on the web.
http://medium.com/@hunchly/screenshots-and-a-terrorism-case-8c0911fe9945 Oct 2, 2019
http://medium.com/@hunchly/jumping-to-osint-conclusions-a97fc5e623f4 Feb 13, 2019
http://hunch.ly/osint-articles/osint-article-emojis-courtroom.php Feb 9, 2019
http://hunch.ly/osint-articles/osint-article-jumping-to-osint-conclusions.php Feb 9, 2019
http://medium.com/@hunchly/osint-emojis-in-the-courtroom-22a846e6e151 Feb 3, 2019
http://medium.com/@hunchly/advanced-website-analysis-for-osint-ff35373d918f Sep 22, 2018
http://medium.com/@hunchly/osint-undercover-facebook-hunchly-7ea55c564bb5 Sep 22, 2018
http://hunch.ly/osint-articles/osint-article-emojis-courtroom Jun 26, 2021Removed
http://hunch.ly/osint-articles/osint-article-unfriendly-friend-request Jun 26, 2021Removed
http://hunch.ly/osint-articles/osint-article-unfriendly-friend-request.php Feb 9, 2019Removed

Email Assumptions

It can sometimes be productive to make assumptions of possible email addresses and use the verifiers discussed above to see if they exist. For example, if your target's name is Joseph Smith and he has an email address of [email protected], you should conduct additional searches for the addresses of [email protected], [email protected],  
[email protected], and others. If you already know your target's username, such as a Twitter handle, you should create a list of potential email addresses. If I had no email address or username for my target (Joseph Smith), but I knew that he worked at Github (github.io), I may start searching for the following email addresses.

[email protected]
[email protected]
[email protected]

These are merely assumptions of potential addresses. Most, if not all, of them may not exist and may yield no result. However, if you do identify an existing address, then you have a new piece of puzzle to search. You can utilize the verification methods discussed thus far.

 Email Format

If the previous email assumption techniques were unproductive, you may want to consider Email Format. This website searches a provided domain name and attempts to identify the email structure of employee addresses. 

When searching github.io, it provided several confirmed email accounts under that domain and made the assumption that employee emails are formatted as first initial then last name and two alphanumeric characters. Our target would have an email address of, say, [email protected] according to the rules. You can then proceed to verify this email address according to the methods discussed so far.

Gravatar

Gravatar powers your public profile, visible wherever you post, comment, and interact online. This service is responsible for many of the small image icons that you see next to a contact in 
your email client which could be configured by the sender of the email.

While the Gravatar home page does not offer an email address search option, you can conduct a query directly from the following URL as shown below. Simply replace the email address with your target information. The resultant image can then be searched with a reverse image query

https://en.gravatar.com/site/check/[email protected]

Compromised Account

Several online services now aid this type of investigation. These services provide one minimal piece of information about any email address entered. They disclose whether that address appears within any publicly known hacked email databases. While most will never disclose the owner, any email content, or passwords, they will confirm that the target's email account was compromised at some point. They will also identify the service which was targeted during the breach.

This helps us in two ways:

  • First, it confirms an email address as valid. If your suspect account is  [email protected], and that address was compromised in a breach in 2018, you know the  address is valid, it was active, and is at least a few years of age.
  • Second, you know the services which need to be investigated. If [email protected] was included in the Facebook and Linkedln breaches, you should attempt to locate those profiles.

Have I Been Pwned

This is a staple in the data breach community. This site lists half a billion real-world passwords previously exposed in data breaches. You can also download the Pwned Passwords list, which contains additional data about each breached account (such as the number of times that password had been seen in the source  
data breaches).  This site can be searched using a target e-mail address or the password itself to see whether it appears in plain text on any public password dump list.

 Cybercriminals steal various credential databases and allow Have I Been Pwned (HIBP) to confirm the legitimacy. HIBP then makes the content searchable and credits the criminal by name. The criminal can then charge more money for the stolen goods as HIBP has vetted the content.

Searching through this website is a straightforward process. The most effective way is to query an email address directly from a URL which presents text-only result.

https://haveibeenpwned.com/unifiedsearch/[email protected]

Replacing the email address above with my target email address in the below query

https://haveibeenpwned.com/unifiedsearch/[email protected]

 yields the following result

{"Breaches":[{"Name":"Canva","Title":"Canva","Domain":"canva.com","BreachDate":"2019-05-24","AddedDate":"2019-08-09T14:24:01Z","ModifiedDate":"2019-08-09T14:24:01Z","PwnCount":137272116,"Description":"In May 2019, the graphic design tool website <a href="https://support.canva.com/contact/customer-support/may-24-security-incident-faqs/" target="_blank" rel="noopener">Canva suffered a data breach</a> that impacted 137 million subscribers. The exposed data included email addresses, usernames, names, cities of residence and passwords stored as bcrypt hashes for users not using social logins. The data was provided to HIBP by a source who requested it be attributed to "[email protected]".","LogoPath":"https://haveibeenpwned.com/Content/Images/PwnedLogos/Canva.png","DataClasses":["Email addresses","Geographic locations","Names","Passwords","Usernames"],"IsVerified":true,"IsFabricated":false,"IsSensitive":false,"IsRetired":false,"IsSpamList":false,"IsMalware":false}],"Pastes":null}

 As you can see, the text version contains more details and can be easily copied and pasted into a report. Have I Been Pwned is an amazing tool, but it does not contain all known breaches. Some "white hat" hackers eagerly share the data leaks and breaches which they discover in order to receive acknowledgement from the site. Once HIBP has verified the legitimacy and source of the data, it becomes much more valuable in the black markets. Many researchers have accused this website of encouraging data theft, as it increases the market value of stolen data once the owner has vetted the content. Many criminals who deal with stolen credentials dislike this site and its owner. They do not share their goods and try to keep them off of the radar of the security community. Therefore, we must always utilize every resource possible.

 Dehashed

 This should be used complementary to Have I Been Pwned. Dehashed allows unlimited search for free, but will not disclose passwords without a premium account. While Have I Been Pwned is often considered the gold standard in regard to breached account 
details, we cannot ignore Dehashed. It takes a more aggressive approach and seeks breached databases for their own collection.

 Spycloud

They are extremely aggressive in regard to obtaining fresh database breaches. They possess many data sets which are not present in Have I Been Pwned. However, they do not display details about accounts which you do not own. Our only option is general details through their free API. The following URL submits a query for [email protected].

https://portal.spycloud.com/endpoint/enriched-stats/[email protected]

The results are in JSON format. They basically tell you that the email address queried is present within multiple database breaches, 
but the identity of each is not available. I have placed the interpretation of each values in comments (//) for easy comprehension by the reader.

{
    "you": {
        "records": 3, //The number of times your email has been found in third-party data breaches from the criminal underground. A value > 0 signifies exposure.
        "discovered": 1, //How recently your data was exposed in the criminal underground
        "discovered_unit": "Year" 
    },
    "company": {
        "name": "gmail.com",
        "records": 4131148348, //The number of times email address from this domain has been found in third-party data breaches from the criminal underground
        "discovered": 2, //How recently data from this domain was exposed in the criminal underground
        "discovered_unit": "Days"
    },
    "executives": {
        "count": 4780887 //The number of credential pairs found for top executives associated with your company domain
    }
}

Cybernews

This service only provides a "true" or "false" identifying the presence of the email within a breach. This could verify an email address exists.

Ghost Project

The benefit of this service is that it displays a partial view of passwords associated with email addresses within a breach. The weakness is that it possesses a relatively small data set of 1.4 billion credentials. 

Leakpeek

It displays partial passwords which have been collected from various data breaches. With our previous example, we can see a bit more data, as follows.

Breakdown of results and more info


Canva.com
Email ************[email protected]
Username **hidden**
Hash **hidden**
Name **hidden**

 Note that Leak Peek allows query by email address, username, password, keyword, and domain.

 PSBDMP

PSBDMP takes a different approach from all of the services discussed above. It monitores Pastebin for any posts including email addresses and/or passwords. They used the former Pastebin API to index posts in nearly real time. The service stopped collecting data when Pastebin discontinued their API service. However, the database is still accessible at PSBDMP. There is no search field, so we must formulate URLs which query our target data as shown below

https://psbdmp.ws/api/search/[email protected]

The result is given below

{"search":"[email protected]","count":0,"data":[]}

Avast Hack Check

 Avast offers a free search engine which identifies email addresses which appear within known 
data breaches and leaks. However, it should be avoided. If you enter any email address within this page, the account immediately receives an email from Avast about the search. Furthermore, Avast enrolls the email address into their invasive email newsletter database. Instead consider the "Friends Check" option at the following URL.

https://www.avast.com/hackcheck/friends-check

The above URL queries the same database maintained by Avast, but does not add the email address to their marketing campaigns or notify the account owner. This service will not identify any specific breach, but could be used as another email address verification option. If you receive a positive result, you know the email address has been used in the past and appears within a breach.

 ProtonMail

ProtonMail is the most widely used safe and encrypted email service. 

As a result, it attracts a large number of criminals.

While logged in to a free ProtonMail account, complete the following steps.

  •  Create a new "Contact", add the target email address, then save it.
  •  Access the contact and click the "Email Settings" icon. 
  • Click the "Show advanced PGP settings" link.

The "Public key" creation date should be displayed as a result. This is frequently, but not always, the email account's creation date. If your target generated new security keys for an account, you'll see that date instead.

 If you simply want to verify that a ProtonMail address exists, you can use a specific URL just as shown below.

https://api.protonmail.ch/pks/lookup?op=get&[email protected]

You will be presented with a certificate download of the account exists, otherwise "No key found" will be displayed.

Epeios

This is one of my best tools in email OSINT investigations. It crawls the entire web to retrieve accounts associated with an email address leaving no traces. Simply supply the target email address and it will return online accounts associated.


HOLEHE

Holehe checks if an email is attached to an account on sites like twitter, instagram, imgur and more than 120 others.

To set up this tool for your investigations, navigate to a directory of your choice in your forensic workstation and enter the following commands via the CLI

git clone https://github.com/megadose/holehe.git
cd holehe/
python3 setup.py install

Domain Connections

Every domain name registration comes with an accompanying email account. 

While many people utilize a privacy service to keep their personal information private, this is not always the case. 

Many free services, fortunately, have been collecting domain registration information and enable inquiries of current and historical domain registration data. 

They'll look for domain names that have been registered using the target email address. Some of these services include:

Email Provider

If your target uses one of the well known email providers, the identity of the email provider is quite obvious. However, business addresses and those with custom domain names do not notify you of the service that hosts the email. A domain's email provider is the company listed in the domain's MX record. You may need to know the email provider in order to issue a court order for content or subscriber data. 

Go to MX Toolbox and enter the domain of the email address, such as programmer.net (taken from [email protected]The result should include a hostname and IP address. These identify the email provider for the target domain. In this example, the host is mx00.mail.com. This shows that mail.com is likely the email host. 

A thorough OSINT report should include a brief mention about the domain email provider. This should be checked as the investigation continues. Changing providers could be a sign of paranoia or intent to conceal evidence.