Skip to content

ZeroTrace OSINT

Tutorial, Find a person across platforms

From a name and an email to cross-platform identity confirmation with profile-photo evidence.

A name and an email arrive in front of you. Your job is to confirm whether they belong to the same person, find the person's footprint across the open web, and produce a sourced summary.

This walkthrough is the standard pattern for due-diligence and investigative-reporting people-cases.

What you need

  • The toolkit installed and licensed.
  • A subject you have a lawful reason to investigate. Use a clearly public figure for practice (CEO of a public company, a journalist, a prominent academic).
  • Twenty minutes.

Identity investigation is the area where the law most often constrains what is permissible. See Field Practice → Legal & Ethics before running this against a private individual.

Step 1, Open a profile (1 minute)

Create a new profile named after the subject. Write the question in the notes:

Confirm identity match between <name> and <email>. Map the subject's footprint across major platforms.

Step 2, Map the identifiers (3 minutes)

With the profile open, run the identity tools against what you have and attach each result to the profile. Findings carry the tool, input, output, source, and timestamp with them. Open the right tool with Ctrl+K:

  • Email analyzer on the email (parts, MX, deliverability, free-provider flag).
  • Username sweep on the email's local part, across the platforms it covers.
  • Breach lookup on the email (domain-level k-anonymity check).
  • Phone lookup if you have a number.

Attach each finding to the profile as you go. The rest of this walkthrough verifies and deepens what these surface.

Step 3, Verify the email (3 minutes)

Open the Email Analyzer result. Look at:

  • Domain. Personal vanity domain → strong identity signal. Free-mail provider (Gmail, Outlook) → weaker.
  • MX records exist. The address can receive mail.
  • Catch-all flag. If the domain is catch-all, the existence of name@domain does not confirm the address is real (every local part exists by configuration).
  • Gravatar URL. If a Gravatar is registered, click through, the avatar is a strong cross-platform identity signal.

Pin the Gravatar URL if present; you'll compare it against other profile photos later.

Step 4, Confirm cross-platform handles (4 minutes)

Open the Username Sweep result from Step 2. The sweep ran against the email's local part. Look at:

  • Confirmed hits. Platforms where a profile exists for that handle.
  • Last-active hints. Profiles that have been active recently are more likely to be the same person.
  • Profile photos. The toolkit captured them where the platform exposed them.

For each confirmed hit, ask: does the display name / bio fragment / photo match the subject as you understand them? If yes, pin as confirmed. If unclear, pin as pending.

Step 5, Generate handle variants (3 minutes)

Pivot from the email or use the Username Permutator directly. Input:

  • First name.
  • Last name.
  • Optional birth year (if known).
  • Known handles from step 4.

The permutator generates a list of candidate handles from the inputs. Run the candidates through the Username Sweep to check them against the fifty-plus platforms it covers.

Repeat the per-platform confirmation step for any newly-discovered hits.

Step 6, Compare profile photos (3 minutes)

If you collected two or more profile photos in steps 4 and 5, run each through the Image Metadata tool and compare their perceptual hashes. Two photos with near-identical pHashes are very likely the same image.

Cross-source matches (a photo from one platform and a photo from a personal blog hashing close to each other) are the strongest cross-platform identity confirmations the toolkit can produce without face recognition. The same photo reused across platforms tells you the platforms share an operator.

Pin matched photos as confirmed. Photos whose hashes are far apart are weaker evidence, the same person, different photo.

Step 7, Public-records pivot (3 minutes, optional, manual)

For higher-stakes cases, consult the public-records engines that match the subject's locale, people-search sites, court-records databases, academic-profile directories, and corporate-filing registries. These are external sources you visit directly in your browser; the toolkit does not generate or scrape them.

Capture anything relevant into the profile manually, with the source URL, so it carries the same provenance as the tool-generated findings.

Step 8, Synthesise (2 minutes)

Open the profile's notes. Write:

  • The headline identity confirmation. ("<name> confirmed as the operator of accounts on Twitter, GitHub, Mastodon, and a personal domain at example.com.")
  • The strongest evidence. (Matching profile-photo hash across three platforms, same Gravatar across two platforms, vanity-domain ownership confirmed via WHOIS.)
  • Footprint summary. (Active on platforms X, Y, Z; abandoned platforms A, B; not present on platforms C, D.)
  • Limitations. (Could not confirm presence on TikTok / Instagram due to platform-side restrictions.)

Tag findings appropriately. Severity high or critical for the headline confirmation; info for footprint context.

Step 9, Export (1 minute)

Profile → Export → PDF. The deliverable shows the identity confirmation, the cross-platform footprint, and the sources for each step.

Done.

Variations

Depending on case:

  • Breach lookup for the email (if available beyond the domain-level check).
  • Email permutator against the name plus a vanity domain, generate variant addresses the subject might use.
  • Image Metadata on each profile photo, compare perceptual hashes to spot the same image reused across platforms.

What you learned

The person-finding pattern is map the identifiers, two enrichment passes, one cluster check, one synthesis, with every finding pinned to the profile. Every variation is a deeper enrichment on the same shape.