26 Sep 2023

Useful Google Dorks for Open Source Intelligence Investigations

Maltego Team

Search engines, like Google, make finding information online quick and simple, particularly when we are performing broad searches like online shopping, finding a new restaurant, or looking for a job. However, when searching for information about individuals, persons of interest, businesses, or other more specific targets, the number of results returned from Google can be overwhelming.

Luckily, Google has incorporated methods of narrowing results into their search engine that can support you in your day-to-day analyst work. These are commonly known as Google dorks (or Google hacking). Today, we are going to go over some of the most common and useful Google dorks for open-source investigations.

How Do Google Dorks Work? 🔗︎

Most of us begin our online searching by merely typing keywords into the search bar, but in doing so, we have already missed an opportunity to optimize our results. Google dorking makes use of commands called operators that allow users to modify their search results in many ways.

For instance, a user searching for information related to private universities in the United States could type Harvard AND Stanford into Google to return only search results that contain both keywords. Note that Google dorks are case-sensitive, so typing Harvard and Stanford would not generate the same results. While this is a very simple Google dorking technique, there are many more that allow users to modify search results in more profound ways.

Many of these techniques are useful on their own. Still, much of their utility is derived from the user’s ability to combine them to return very specific results from Google.

By using these operators in combination with each other (and the many others that exist), users can target specific information more easily.

Examples of Google Dorks 🔗︎

Let’s look at a couple of basic operators quickly to see how they work together to return specific results:

The site: operator allows us to perform a Google search that will only return results that are hosted on the designated site. For instance, Harvard site:Wikipedia.org will only return search results related to the keyword Harvard from Wikipedia.org.

The – (minus) operator allows the user to exclude specific results from their search. By combining these two operators we can create the search Harvard -site:Wikipedia.org, which will return search results from Google while excluding any results from Wikipedia. As you become more proficient with each operator, you will also find more ways to combine them to find useful information regarding your investigations.

By employing Boolean operators AND, OR, you can combine keywords to refine your search results. Suppose you are conducting research on universities and want to find information about both Harvard and Yale on educational websites. In this scenario, using Yale University AND Harvard University site:.edu narrows your search to pages where both universities are mentioned.

In this PDF cheat sheet, we list out the most useful Google dorks along with specific use cases for your day-to-day investigative work. Download the cheat sheet now and start using them!

How Can You Use Google Dorking in Your Investigations? 🔗︎

While anyone can benefit from using Google dorks, the focus of this article is to highlight the usefulness of these techniques for those conducting open source investigations, particularly regarding person of interest investigations.

Investigators have been turning to the internet, search engines, and social media for years to find information that might prove helpful, but Google dorking techniques can take your OSINT information gathering to a new level.

Let’s look at a couple of unique examples that might be useful in your next investigation.

If you are like most people, you probably have one username that you use for many different accounts across the digital landscape. This username sometimes contains bits of personal information that you can take note of, such as:

  • Person’s name
  • Year of birth
  • Location of their whereabouts
  • Favorite sports team
  • Job or profession
  • Significant dates

The real value in terms of an investigation is finding out whether that username has been used elsewhere online. While someone may take precautions to maintain privacy or security with an account that is tied to criminal or mischievous behavior, their other accounts may not be as well guarded.

Let’s assume that you are looking into a person of interest, and the only information you have about this individual is a username: BadGuy1.

While a search for BadGuy1 might return other instances where the username shows up online, by using the Wildcard operator and searching for BadGuy1*com, we can instead see if any email addresses are publicly available online that use this username as the unique identifier.

While this will not always return significantly different results to searching the username itself, it can serve as a quick method for identifying an email address that can later be tied to other accounts.

Google Dork: Finding Email Addresses Related to a Username

2. Uncover Documents Relevant to Your Target 🔗︎

Perhaps you have a subject’s name, but you have little else to go on to learn more. There is a lot that we can learn about an individual given only their name, but our subject, John J. Doe, has a small digital footprint on typical social networking sites or apps. Instead, let’s see what we can find out about our subject using documents hosted online.

In the search bar, we can enter “John J. Doe” filetype:pdf OR filetype:xlsx OR filetype:docx, which will give us only PDF, Excel, or Microsoft Word documents containing the exact search term John J. Doe.

Google Dork: Uncovering New Contact Information from Online Documents

Here we have combined three different search operators to improve our results, which can save a lot of time and effort over the course of an investigation.

For John J. Doe, most of the documents that were returned used a fictitious name to make examples or protect identities. However, when using a real person’s name, the documents found might include court records, resumes, or other official documents that can give insight into a person’s life, finances, family, or friends.

3. Gain Information Through Social Media 🔗︎

Even though John J. Doe doesn’t have much of a social media presence, that doesn’t mean that other persons of interest won’t. Social media platforms offer a wealth of information related to people, places, businesses, and networks. This information is often publicly available and poorly secured, making it a go-to place to search for knowledge to benefit an investigation.

To search social media platforms, we can use the site: operator again. This time, we will search Harvard site:twitter.com to return only results on Twitter. The initial results that we receive are primarily dedicated to different Twitter accounts related to Harvard University. However, diving deeper into the search results shows specific tweets, videos, and more.

Google Dork: Gaining Information Through Social Media

Another interesting application is to search multiple social media platforms at the same time using Boolean operators. In our example, we use the OR operator to find accounts that are linked to the same individual across multiple platforms.

In addition, let’s say that our subject sent a tweet, but we want to see if that exact language appears anywhere else online. We could search “subject tweet content” -site:twitter.com in order to see if that exact phrase is used on another platform or by another account. This can help unmask networks of individuals working together, multiple accounts run by one individual, or accounts across different platforms that may have varying levels of security.

What Other Techniques Can Help You Gather OSINT Data? 🔗︎

Google dorks are useful tools that can significantly improve investigations for cybersecurity and cybercrime investigators. There are many other resources out there that dive deeper into the uses of Google dorks, but we hope that this introduction has piqued your interest!

If you want to learn more about dorking techniques for the Bing search engine, check out our blog post here.

Follow Maltego on Twitter, LinkedIn, and Mastodon for more tips and tricks, and subscribe to our email newsletters to learn more about how we can help with your next investigation!

Download the Full List of Useful Google Search Operators 🔗︎

Download our Google Dorks cheat sheet now to see the full list of useful Google search operators. Print it out and share it with your colleagues and teams!

Download the resource

DE +49
Albania +355
Algeria +213
Andorra +376
Angola +244
Anguilla +1264
Antigua And Barbuda +1268
Argentina +54
Armenia +374
Aruba +297
Australia +61
Austria +43
Azerbaijan +994
Bahamas +1242
Bahrain +973
Bangladesh +880
Barbados +1246
Belarus +375
Belgium +32
Belize +501
Benin +229
Bermuda +1441
Bhutan +975
Bolivia +591
Bosnia and Herzegovina +387
Botswana +267
Brazil +55
Brunei Darussalam +673
Bulgaria +359
Burkina Faso +226
Burundi +257
Cambodia +855
Cameroon +237
Canada +1
Cape Verde +238
Cayman Islands +1345
Central African Republic +236
Chile +56
China +86
Cote d'Ivoire +225
Colombia +57
Comoros +269
Congo +242
Cook Islands +682
Costa Rica +506
Croatia +385
Cuba +53
Cyprus +90392
Czech Republic +42
Denmark +45
Djibouti +253
Dominica +1809
Dominican Republic +1809
Ecuador +593
Egypt +20
El Salvador +503
Equatorial Guinea +240
Eritrea +291
Estonia +372
Ethiopia +251
Falkland Islands (Malvinas) +500
Faroe Islands +298
Fiji +679
Finland +358
France +33
French Guiana +594
French Polynesia +689
Gabon +241
Gambia +220
Georgia +7880
Germany +49
Ghana +233
Gibraltar +350
Greece +30
Greenland +299
Grenada +1473
Guadeloupe +590
Guam +671
Guatemala +502
Guinea +224
Guinea-Bissau +245
Guyana +592
Haiti +509
Honduras +504
Hong Kong +852
Hungary +36
Iceland +354
India +91
Indonesia +62
Iran, Islamic Republic of +98
Iraq +964
Ireland +353
Israel +972
Italy +39
Jamaica +1876
Japan +81
Jordan +962
Kazakhstan +7
Kenya +254
Kiribati +686
Korea, Democratic People's Republic of +850
Korea, Republic of +82
Kuwait +965
Kyrgyzstan +996
Lao People's Democratic Republic +856
Latvia +371
Lebanon +961
Lesotho +266
Liberia +231
Libyan Arab Jamahiriya +218
Liechtenstein +417
Lithuania +370
Luxembourg +352
Macao +853
Macedonia, the former Yugoslav Republic of +389
Madagascar +261
Malawi +265
Malaysia +60
Maldives +960
Mali +223
Malta +356
Marshall Islands +692
Martinique +596
Mauritania +222
Mauritius +230
Mayotte +269
Mexico +52
Micronesia, Federated States of +691
Moldova, Republic of +373
Monaco +377
Mongolia +976
Montserrat +1664
Morocco +212
Mozambique +258
Myanmar +95
Namibia +264
Nauru +674
Nepal +977
Netherlands +31
New Caledonia +687
New Zealand +64
Nicaragua +505
Niger +227
Nigeria +234
Niue +683
Norfolk Island +672
Northern Mariana Islands +670
Norway +47
Oman +968
Pakistan +92
Palau +680
Panama +507
Papua New Guinea +675
Paraguay +595
Peru +51
Philippines +63
Poland +48
Portugal +351
Puerto Rico +1787
Qatar +974
Reunion +262
Romania +40
Russian Federation +7
Rwanda +250
San Marino +378
Sao Tome and Principe +239
Saudi Arabia +966
Senegal +221
Serbia +381
Seychelles +248
Sierra Leone +232
Singapore +65
Slovakia +421
Slovenia +386
Solomon Islands +677
Somalia +252
South Africa +27
Spain +34
Sri Lanka +94
Saint Helena +290
Saint Kitts and Nevis +1869
Saint Lucia +1758
Sudan +249
Suriname +597
Swaziland +268
Sweden +46
Switzerland +41
Syrian Arab Republic +963
Taiwan +886
Tajikistan +7
Thailand +66
Togo +228
Tonga +676
Trinidad and Tobago +1868
Tunisia +216
Turkey +90
Turkmenistan +993
Turks and Caicos Islands +1649
Tuvalu +688
Uganda +256
United Kingdom +44
Ukraine +380
United Arab Emirates +971
Uruguay +598
United States +1
Uzbekistan +7
Vanuatu +678
Holy See (Vatican City State) +379
Venezuela +58
Viet Nam +84
Virgin Islands, British +84
Virgin Islands, U.S. +84
Wallis and Futuna +681
Yemen +967
Zambia +260
Zimbabwe +263

By clicking on "Access", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.

By clicking on "Subscribe", you agree to the processing of the data you entered and you allow us to contact you for the purpose selected in the form. For further information, see our Data Privacy Policy.