Four-Service Social OSINT Trail: Sequential Platform Pivoting for Target Activity Reconstruction

forensic_file_artifacts Difficulty 1–5 30 min certifiable

Theory

Why This Matters

In 2023, a threat intelligence team investigating a ransomware operator discovered that the actor used the same username across Twitter, GitHub, Discord, and LinkedIn — a catastrophic operational security failure that allowed the team to correlate a pseudonymous threat actor with a real name, employer, and country of residence within 48 hours. The same methodology is routinely deployed by corporate red teams assessing employee attack surface, by journalists investigating activists or officials, and by law enforcement in cyber-crime cases. Following a digital trail across four distinct service types — social network, professional network, code repository, and communication platform — is not merely a CTF exercise; it is one of the most productive real-world OSINT techniques available because the human psychology of credential reuse is so consistent. People choose a username they like and use it everywhere, rarely considering that each service they join adds another node to a graph that can be traversed by anyone with access to a search engine and a few open-source tools.

Core Concept

The four-service trail exploits the structural diversity of the internet's service landscape. A social network (Twitter/X, Instagram, Facebook) exposes social relationships, interests, and content. A professional network (LinkedIn) exposes employment history, colleagues, and professional email formats. A code repository (GitHub, GitLab) exposes technical skills, commit history (with timestamps and timezone inferences), and — critically — email addresses embedded in git commit metadata. A communication platform (Discord, Telegram, Slack) exposes real-time social relationships, informal language patterns, and group affiliations.

Email as universal linking identifier: most platform registrations require a valid email address, and many platforms expose the email or allow enumeration via account recovery flows. An email discovered in a GitHub commit message (git log --format="%ae %an" | sort -u) directly links the code contributor identity to the social profile and professional account if the same email was used across services.

theHarvester is the primary tool for email and subdomain harvesting across multiple data sources (Google, Bing, Shodan, Hunter.io, SecurityTrails, LinkedIn, etc.) in a single command. It is the fastest way to collect a target organisation's email address roster for subsequent correlation.

recon-ng is a modular framework in the style of Metasploit. Each OSINT data source has a dedicated module. Modules produce structured output (domains, contacts, hosts, credentials) that feeds into subsequent modules, enabling automated multi-stage reconnaissance pipelines. The recon/contacts-contacts/migrate-contacts module, for example, pivots discovered email addresses into social profile searches.

SpiderFoot automates link analysis across 200+ data sources and produces a visual correlation graph without manual pivoting. It is particularly useful when the subject has a large footprint and manual correlation would take days.

Maltego is the enterprise-grade visual link-analysis platform. It represents each discovered identity element (username, email, phone, IP, domain) as an entity and draws relationship edges between correlated entities. The visual graph makes multi-service correlation immediately apparent and is the standard deliverable format for OSINT-based intelligence reports.

Operational security (OPSEC) failures that create multi-service linkages include: username reuse, email reuse, profile photo reuse (detectable by reverse image search), writing style consistency (detectable by stylometric analysis), consistent timezone signatures (from post timestamps), and linked bios (a Twitter bio linking to a GitHub profile, for example, creates a direct edge in the correlation graph).

Technical Deep-Dive

# Step 1: theHarvester — email and username harvesting from multiple sources
theHarvester -d targetcorp.com -b google,bing,linkedin,hunter -l 500 -f results.xml
# -d: target domain
# -b: data sources (comma-separated)
# -l: result limit per source
# -f: output file (XML or JSON)
# Output includes: emails, hosts, IPs, LinkedIn profiles

# Step 2: GitHub email extraction from commit history
# Find all contributors to a target org's public repos:
curl -s "https://api.github.com/orgs/targetorg/members?per_page=100" 
  | python3 -m json.tool | grep '"login"'

# For a specific user, clone all public repos and extract commit emails:
gh repo list target_user --limit 50 --json nameWithOwner -q ".[].nameWithOwner" 
  | while read repo; do
      git clone --bare "https://github.com/$repo" /tmp/repo_$$
      git -C /tmp/repo_$$ log --all --format="%ae %an" | sort -u
      rm -rf /tmp/repo_$$
    done

# Step 3: recon-ng — structured multi-source OSINT pipeline
recon-ng
# > marketplace install all
# > workspaces create target_name
# > modules load recon/domains-contacts/whois_pocs
# > options set SOURCE targetcorp.com
# > run
# > modules load recon/contacts-contacts/migrate-contacts
# > run
# > show contacts

# Step 4: SpiderFoot — automated correlation graph
# Via web UI (localhost:5001 after starting spiderfoot):
python3 sf.py -l 127.0.0.1:5001
# Create new scan: target = "target_alias OR targetcorp.com"
# Enable modules: Social Media, Code Repositories, Username Lookup, Email Lookup
# Run scan (15-30 minutes for thorough coverage)
# Export: CSV or JSON for import into Maltego

# Step 5: Sherlock — multi-platform alias enumeration
python3 sherlock/sherlock.py target_alias 
  --site Twitter --site GitHub --site LinkedIn --site Discord 
  --timeout 15 --output target_alias_4services.txt

# Step 6: Discord username search
# Public Discord servers indexed by disboard.org and discord.me
# Search: site:discord.com "target_alias"
# Search: site:disboard.org "target_alias"

# GitHub API — extract email from commit events (public timeline)
import requests

GITHUB_TOKEN = "ghp_YOUR_TOKEN"
HEADERS = {"Authorization": f"token {GITHUB_TOKEN}"}
USERNAME = "target_github_user"

# Get all public repos
repos = requests.get(
    f"https://api.github.com/users/{USERNAME}/repos?per_page=100",
    headers=HEADERS
).json()

emails = set()
for repo in repos:
    commits = requests.get(
        f"https://api.github.com/repos/{USERNAME}/{repo['name']}/commits?per_page=100",
        headers=HEADERS
    ).json()
    if isinstance(commits, list):
        for commit in commits:
            author = commit.get("commit", {}).get("author", {})
            email = author.get("email", "")
            if email and "noreply" not in email:
                emails.add(email)

print("Discovered emails:", emails)
# => {'[email protected]', '[email protected]'}

Intelligence Collection Methodology

Establish the seed identifier — Determine which of the four services has the strongest known presence for the target: a Twitter handle, a GitHub username, a LinkedIn profile URL, or a Discord tag. This becomes the starting node of the trail.
Run theHarvester against the target domain to collect all publicly indexed email addresses, subdomains, and LinkedIn profiles: theHarvester -d targetdomain.com -b google,bing,linkedin,hunter -l 500.
Enumerate the alias across four services using Sherlock, targeting Twitter, GitHub, LinkedIn, and Discord explicitly. For each confirmed hit, manually review the profile for linked accounts, bio links, and contact information.
Extract emails from GitHub commit history: clone public repos associated with the target username, run git log --all --format="%ae %an", and extract all non-noreply email addresses. These emails directly link the GitHub identity to the real-world identity.
Cross-reference LinkedIn with GitHub: compare names, profile photos, and claimed skills. Check whether the LinkedIn employer matches any GitHub organisation membership (github.com/orgs/). Use reverse image search if profile photos match.
Search Discord: use Google dork site:discord.com "target_alias" and search public server listing sites (disboard.org, discord.me) for the alias. Note any public server memberships, which reveal interest communities and potential associates.
Build the correlation graph in Maltego or SpiderFoot: create entity nodes for each confirmed identifier. Draw edges between username → email, email → LinkedIn profile, LinkedIn profile → company, GitHub username → commit email. Visualise the resulting graph and identify the strongest confirmed links.
Document OPSEC failure patterns: note which specific reuse behaviour created the multi-service linkage (same username, same email, same photo, same bio text). This documents the attack surface finding for the intelligence report.

Common Intelligence Collection Errors

Stopping at Sherlock without manually verifying each hit: Sherlock produces false positives when a platform returns a 200 status code for all username lookups regardless of whether the account exists. Always click through to the reported URL and confirm the account is real before logging it as a confirmed finding.
Overlooking git commit email exposure: Many analysts focus on social profiles and miss that GitHub commit metadata contains real email addresses for every committer. This is often the most direct link between a pseudonymous alias and a real identity and should always be checked first for technical targets.
Treating the correlation graph as complete after four services: The four-service trail is a methodology, not a boundary. Additional services (Mastodon, HackerNews, Stack Overflow, npm, PyPI) may contain the same username. Use SpiderFoot's automated coverage to extend beyond the initial four services once the primary trail is established.
Ignoring timezone inference from post timestamps: Aggregating post timestamps across multiple platforms often reveals a consistent active-hours window that implies a local timezone. Failing to perform this analysis misses a valuable corroborating indicator for physical location attribution.
Conflating a professional LinkedIn profile with a personal identity: LinkedIn profiles are curated and may use a professional persona distinct from the subject's personal online identity. The email format discovered via hunter.io may be different from the personal email used for social registrations. Treat professional and personal email namespaces separately during correlation.
Not using recon-ng's module chaining for automation: Analysts who manually pivot between services spend hours on work that recon-ng can automate in minutes. Not investing the time to configure and run a recon-ng workspace is a significant efficiency failure in any sustained OSINT engagement.

NICE Framework Alignment

Code	Knowledge/Skill/Task Statement	How This Card Develops It
K0058	Knowledge of network protocols	Understanding GitHub's REST API structure, Discord's Snowflake ID system, and LinkedIn's crawlable public profile schema as OSINT collection surfaces
K0145	Knowledge of security assessment approaches	Applying the four-service trail as a structured multi-source OSINT assessment methodology using theHarvester, recon-ng, Sherlock, and SpiderFoot
K0272	Knowledge of network security architecture	Recognising how multi-service account registration with shared identifiers creates a traversable identity graph that defeats pseudonymity
K0427	Knowledge of encryption algorithms	Interpreting email headers and git commit signatures to understand how identity is cryptographically bound (or not) to platform accounts
S0040	Skill in identifying and extracting data of interest	Extracting email addresses from git commit logs, correlating usernames across four service types, and building a Maltego entity graph from discovered identifiers
T0569	Apply and utilize authorized cyber capabilities to achieve objectives	Executing the four-service trail pipeline — theHarvester, recon-ng, Sherlock, SpiderFoot, Maltego — to build a complete multi-platform identity correlation within an authorised OSINT mandate