Skip to content

How to conduct OSINT on Linkedin

Linkedin is a valuable source of information not only for recruiters or job-seekers, but also for OSINT researchers or private investigators tasked with gathering information on a particular individual or a company.

The platform has significantly restricted various search options (Sales Navigator, advanced search operators, etc.) in the last year or so due to privacy concerns, but there are still some avenues to explore when conducting an open source intelligence reconnaissance on Linkedin.

One big caveat, as always with OSINT on social networking platforms – you should really avoid using your personal account for the investigations you conduct.

With Linkedin, even a fully locked down and private account can leave a trail in the form of “Search Appearances” update.

This feature will let your target user know the number of times their profile appeared in search results between certain dates, as well as where the searchers work.

Even though this does not reveal a specific identity that conducted the lookup (provided that the searcher’s account is set to private!), it might alert the target user to the fact that his account is being looked at by people working for a certain organisation.

If you are starting broad, with no specific targets in mind but with the objective of conducting an overview recon of an organisation and its employees, the good thing to begin with is some employee validation – conducted off Linkedin.

1. Validate employee emails

My favourite email validation / verification tool is

It has a free version which includes 50 free searches per month, and it’s a very flexible tool that allows searching for:

  • all publicly identifiable emails belonging to a company domain name;
  • a specific email address finder;
  • an email address verifier;
  • bulk task search option. - Email Finder

If you want to cast your net wider, you can try various permutations of a specific email address with the view of verifying them at a later stage.

For this, I recommend using the Metric Sparrow Email Permutator+

2. Search using Google operators

Linkedin profile indexing by Google can be turned off by individual users, but usually this does not stop the most powerful search engine from indexing the information anyway.

The following Google operators will return valuable content without you even logging in to Linkedin:

site: “<person name>”

site: “<company name>”

site: “<job title>”

site: “<keyword of interest>”

3. Investigate the Linkedin profile name

The user’s profile name on Linkedin will always display in the URL. Although this profile name is generated by the platform from the account’s user name and surname fields, it can be customised.

If a user changes the name and surname on the profile, the generic URL profile name will also change.

However, if a user decides to customise the URL profile name and subsequently change their account name and surname, the customised profile name will remain unchanged.

Why is this relevant?

Some users might decide to change their names, hide their surname or lock down their profile.

Without knowing the custom profile name from the URL, it might be harder to locate their accounts on the platform.

The URL profile name should be used as a unique identifier of a target account – the name and surname details should be treated as secondary.

In some cases, users will have a profile on another platform which closely resembles their user name from Linkedin (and vice versa).

To satisfy these possibilities, if need be, you can search manually or you can use Google operators and modify the argument to suit your specific search criteria: “williamhgates” OR “william gates” OR “williamgates”

4. View the Linkedin profile graphic elements

The two main graphic elements of a Linkedin profile are the profile pic and the background photo.

Both can be downloaded and reverse image searched using one of the following image search engines (by no means is this list exhaustive – if you can recommend any other decent ones, please suggest them in the comments below the article):

Google Images –

Yandex Images –

Flickr Image Search –

Shutterstock –

Getty Images –

Tin Eye –

The profile pic can be enlarged by either clicking on it, or by adding a “/detail/photo/” parameter into the URL string. Example:

5. Conduct a detailed manual Linkedin search

As it is usually the case with social networking platforms, searching using the built in search engine vs searching by manipulating the URL can yield varying results.

Here are some examples of search methods relying on modifying the URL values (brackets indicate what the value is and they are not part of the search query):[name]&lastName=[surname]

The above includes the search parameters for name and surname only.

This search can be enriched by including both the name and surname as keywords, thus giving it a broader scope:[name]&keywords=[name]%20[surname]&lastName=[surname]

Both of these search values can be further enriched by adding additional criteria, such as the company name and the job title of the person we are searching for:[name]&lastName=[surname]&company=[company name]&title=[job title]

6. Search Linkedin profile's recent activity

The recent activity of a Linkedin profile is normally visible to the user’s contacts only via the website or the mobile app interface.

However, it can also be seen by anybody by manipulating the URL by adding the “/detail/recent-activity/” part to the profile.

So to illustrate this example:

The Linkedin “activity” can be searched holistically as “All activity” (includes likes and reactions to other users’ posts) or navigated separately.

On Linkedin, the activity associated with the user generated content is divided into:

  • Articles
  • Posts
  • Documents

7. Establish the exact timeline

This might be relevant if you need to know exactly when content X was posted, down to the date, the hour and the minute.

To illustrate this with an example, I have identified a particular post from the Linkedin account of Bill Gates I am interested in.

This post attracted nearly 8.000 responses (at the time of my writing) and also received some abusive, threatening or spam comments.

So let’s say I want to find out when exactly this comment was created.

  1. While on the comment, select the Copy Link to Comment option and then open this comment of interest in a new tab or window.
  2. Press the F12 button and view the page source code using the built-in browser developer tools.
  3. Press CTRL + F to enable the search bar while on the Elements section.
  4. Pick a keyword or a keyword string of interest (I picked “so full of shit“) and search for it in the search bar. The text containing the phrase will appear above it.
  5. Right click on that section of the window, select Copy, the select Copy element. Open a new .txt file and paste the content there.

Now within your text document, go CTRL + F and search for “created”.

It will bring you to the timestamp attached to that comment, which is stored in the following format:


This format is a Unix Epoch timestamp – it shows the number of seconds (or milliseconds, depends on the configuration) between a particular date and 01/01/1970.

This is not human friendly, so use an converter – I recommend the Epoch Converter.

And here it is:


8. Take it away for future reference

Each user’s Linkedin profile has a handy option, aimed at converting the account’s content into a CV-type document.

The “Save to PDF” option will allow you to quickly acquire the contents of a target profile.

It’s a useful feature, especially if a particular account was to be closed – you can retain the data for as long as it’s necessary.

Note that this will not download any personal information or any detailed activity, but it will give you a general profile overview.

Whatever you don’t get in a PDF download, you can complement with screenshots or by bookmarking content of particular interest (but remember, it will be lost if the profile or a particular activity is deleted).

3 thoughts on “How to conduct OSINT on Linkedin”

  1. Sometimes to validate emails I also use TheHarvester (build in Kali Linux) and it gives me better results than Hunter

Leave a Reply

Your email address will not be published. Required fields are marked *