22 Jul 2021

Useful Google Dorks for Open Source Intelligence Investigations

Maltego Team

Search engines, like Google, make finding information online quick and simple, particularly when we are performing broad searches like online shopping, finding a new restaurant, or looking for a job. However, when searching for information about individuals, persons of interest, businesses, or other more specific targets, the number of results returned from Google can be overwhelming. Luckily, Google has incorporated methods of narrowing results into their search engine. These are commonly known as Google dorks (or Google hacking). Today, we are going to go over some of the most common and useful Google dorks for open source intelligence (OSINT) investigations.

How Do Google Dorks Work? 🔗︎

Most of us begin our online searching by merely typing keywords into the search bar, but in doing so, we have already missed an opportunity to optimize our results. Google dorking makes use of commands called Operators that allow users to modify their search results in many ways. For instance, a user searching for information related to private universities in the United States could type Harvard AND Stanford into Google to only return search results that contain both keywords. Note that Google dorks are case-sensitive, so typing Harvard and Stanford would not generate the same results. While this is a very simple Google dorking technique, there are many more that allow users to modify search results in more profound ways.

Many of these techniques are useful on their own. Still, much of their utility is derived from the user’s ability to combine them to return very specific results from Google.

By using these Operators in combination with each other (and the many others that exist), users can target specific information more easily.

Let’s look at two of these Operators quickly to see how they work together to return specific results.

The site: Operator allows us to perform a Google search that will only return results that are hosted on the designated site. For instance, Harvard site: Wikipedia.org will only return search results related to the keyword Harvard from Wikipedia.org.

The – (minus) Operator allows the user to exclude specific results from their search. By combining these two Operators, we can create the search Harvard -site: Wikipedia.org, which will return search results from Google while excluding any results from Wikipedia. As you become more proficient with each Operator, you will also find more ways to combine these Operators to find useful information regarding your investigations.

To utilize the power of combining Google search Operators, though, we need to learn a few more. In this PDF cheat sheet, we list out all the useful Google dorks (search operators). Download the cheat sheet now to start using them!

Who Can Use Google Dorking? 🔗︎

While anyone can benefit from using Google dorks, the focus of this article is to highlight the usefulness of these techniques for those conducting open source intelligence investigations, particularly regarding person of interest investigations. Investigators have been turning to the internet, search engines, and social media for years to find information that might prove helpful, but Google dorking techniques can take your OSINT information gathering to a new level!

Let’s look at a couple of unique examples that might be useful in your next investigation.

Useful Google Dorks for Person Investigations 🔗︎

If you are like most people, you probably have one username that you use for many different accounts across the digital landscape. This username sometimes contains bits of personal information, like a person’s name, year of birth, or favorite sports team, but the real value in terms of an investigation is finding out whether that username has been used elsewhere online. While someone may take precautions to be private or secure with an account that is tied to criminal or mischievous behavior, other of their accounts may not be as well guarded.

Let’s say that you are looking into a person of interest and the only information you have about this individual is a username: BadGuy1. While a search for BadGuy1 might return other places that the username shows up online, by using the Wildcard Operator and searching for BadGuy1*com, we can instead see if any email addresses appear publicly online that use the username as the unique identifier.

While this will not always return significantly different results to searching the username itself, it can be used as a quick way to identify an email address that can later be tied to other accounts.

Google Dork: Finding Email Addresses Related to a Username

2. Uncovering New Contact Information from Online Documents 🔗︎

Perhaps you have a subject’s name, but you have little else to go on to learn more. There is a lot that we can learn about an individual given only their name, but our subject, John J. Doe, has a small digital footprint on typical social networking sites or apps. Instead, let’s see what we can find out about our subject using documents that are hosted online.

In the search bar we can enter “John J. Doe” filetype:pdf OR filetype:xlsx OR filetype:docx which will give us only PDF, Excel, or Microsoft Word documents containing the exact search term John J. Doe.

Google Dork: Uncovering New Contact Information from Online Documents

Here we have combined three different search Operators to improve our results, which can save a lot of time and effort over the course of an investigation. For John J. Doe, most of the documents that were returned used the fictitious name to make examples or protect identities. However, when using a real person’s name, the documents found might include court records, resumes, or other official documents that can give insight into a person’s life, finances, family, or friends.

3. Gaining Information Through Social Media 🔗︎

Even though John J. Doe doesn’t have much of a social media presence, that doesn’t mean that other persons-of-interest won’t. Social media platforms offer a wealth of information related to people, places, businesses, and networks. This information is often publicly available and poorly secured, so it makes for a wonderful place to search for knowledge to benefit an investigation. To search social media platforms, we can use the site: Operator again.

This time, we will search Harvard site:twitter.com to return only results on Twitter. The initial results that we receive are primarily dedicated different Twitter accounts related to Harvard University. However, diving deeper into the search results shows specific tweets, videos, and more.

Google Dork: Gaining Information Through Social Media

Another interesting application is to search multiple social media platforms at the same time using our OR Operator. This can help us find accounts that are linked to the same individual across multiple platforms.

In addition, let’s say that our subject sent a tweet, but we want to see if that exact language appears anywhere else online. We could search “subject tweet content” - site:twitter.com in order to see if that exact phrase is used on another platform or by another account. This can help unmask networks of individuals working together, multiple accounts run by one individual, or accounts across different platforms that may have varying levels of security.

Wrapping Up 🔗︎

Google dorks are useful tools that can significantly improve investigations for cybersecurity and cybercrime investigators. There are many other resources out there that dive deeper into the uses of Google dorks, but we hope that this introduction has piqued your interest! If you want to learn more about dorking techniques for the Bing search engine, check out our blog post here.

Download the Full List of Useful Google Search Operators 🔗︎

Download our Google Dorks cheat sheet now to see the full list of useful Google search Operators. Print it out and share it with your colleagues and teams!

Download the resource

DE +49
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua & Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia Herzegovina +387
Botswana +267
Brazil +55
Brunei +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde Islands +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus North +90392
Cyprus South +357
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea - Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea North +850
Korea South +82
Kuwait +965
Kyrgyzstan +996
Laos +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mayotte +269
Mexico +52
Micronesia +691
Moldova +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Islands +672
Northern Marianas +670
Norway +47
Oman +968
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russia +7
Rwanda +250
San Marino +378
Sao Tome & Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovak Republic +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
St. Helena +290
St. Kitts +1869
St. Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syria +963
Taiwan +886
Tajikstan +7
Thailand +66
Togo +228
Tonga +676
Trinidad & Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +7
Turkmenistan +993
Turks & Caicos Islands +1649
Tuvalu +688
Uganda +256
UK +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
USA +1
Uzbekistan +7
Vanuatu +678
Vatican City +379
Venezuela +58
Vietnam +84
Virgin Islands - British +84
Virgin Islands - US +84
Wallis & Futuna +681
Yemen +969
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

Follow Maltego on Twitter and LinkedIn for more tips and tricks, and subscribe to our email newsletters to learn more about how we can help with your next investigation!

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.