Skip to main content

Reuniting with a Childhood Friend Lost for 8 Years Using OSINT

OSINT, or Open Source Intelligence, is a crucial skill in the field of cybersecurity. It is widely used not only in cybersecurity but also in the intelligence community. For cybersecurity professionals, whether involved in red teaming, blue teaming, or threat hunting/intelligence, OSINT plays various roles. For red teams, OSINT helps operators understand a target's attack surface and exposed vulnerable assets without actively interacting with the target (such as vulnerability scanning, directory brute-forcing, social engineering attempts, etc.). For blue teams, threat hunter, and other roles focused on proactive or passive defense, OSINT can assist engineers in identifying attackers' technology stacks, personal information, attacking infrastructure, and the forces behind them.

As a red team operator, I primarily use OSINT during the reconnaissance phase to gather as much information as possible on the target’s attack surface, vulnerable assets, and personnel, all aimed at offensive security purposes. However, today I want to share a case that is not so much about offensive security, but rather a heartwarming example of how OSINT can bring warmth and emotion. I helped a junior schoolmate and friend reconnect with a childhood companion whom she had lost touch with for over eight years, relying primarily on the name she provided.

Finding a specific person on the vast internet with OSINT involves far more than simply searching for specific keywords on Google or other search engines—anyone can do that, and it lacks technical sophistication. OSINT requires us to refine existing information, prioritize it by importance, expand upon it, and sift through and filter massive amounts of data. Some common techniques include advanced search engine queries, various dorking techniques, keyword variations and expansions, using online tools and APIs, social media searches, extracting metadata from files, querying breached data, and investigating the target’s possible connections and social circles.

Motivation and Background

As a cybersecurity professional, I've always aspired to master and apply certain skills that not only shine at work but also prove useful in everyday life. Hacking a website or discovering software vulnerabilities? Sure, it's cool, but not very practical for daily use. The skills that come to mind are things like lock-picking, using tools like the Flipper Zero, and, of course, OSINT. As I mentioned earlier, OSINT is utilized in many fields beyond cybersecurity.

Outside of cybersecurity, some content creators challenge themselves by extracting a wealth of information from what seems to be an ordinary image. They can deduce details such as the geographic location of the landscape in the picture, the identification number of a passing train, or even the book to which a few blurry lines of text belong. There are also accounts that track the whereabouts of celebrities, like this one: (Original post link: https://x.com/fs0c131y/status/1827828970856874115).

image.png

image.png

When it comes to finding specific individuals, while I can't claim a 100% success rate, I can say I've become fairly adept at it. For instance, reconnecting with childhood friends isn’t particularly difficult for me. Just a few days ago, a friend and junior schoolmate of mine reached out, asking if I could help her locate a childhood companion. She mentioned that they had lost contact for at least eight years and that she deeply missed this friend.

However, this junior schoolmate had left China years ago and was now living overseas, and the available information was already limited. After so many years, countless things could have changed. So, was I ultimately able to help her find this long-lost friend?

image.png

Well, the fact that you're reading this article means I did eventually find her. During the search process, I realized this experience was a great case study for several reasons:

  • There was no shortcut that led directly to success.
  • The search presented a moderate level of difficulty.
  • There were twists and turns, but no hopeless dead ends.
  • The techniques involved were diverse.
  • There were multiple potential paths to success.
  • Some soft skills and non-technical methods were crucial in saving time and effort.

Ultimately, this search allowed two girls to reunite, bringing warmth and emotion, and I felt a strong sense of accomplishment knowing that my technical skills could bring happiness and comfort to their lives. Now, let's dive into the technical details of how this was done.

Ruled Out Shortcut

This junior schoolmate of mine provided me with the name and birth year of her childhood friend. Although they played together during their younger years, this doesn’t necessarily mean that her friend (referred to as "the target" throughout the rest of this article) was registered locally. I know of several classmates who moved to different cities shortly after they were born. However, for the sake of convenience, I initially assumed that both my junior schoolmate and the target were registered in the same city. If that yielded no results, I would then consider other possibilities.

With such specific information, the quickest way, if lucky, would be to use a "social engineering library". These libraries support custom queries and contain past breached data, often operated by automated reply bots on Telegram. Depending on the detail of the search query and the number of searches, this may require payment. However, it’s important to note that these social engineering libraries exist outside of government control, part of the black or gray market, and are rife with fraud and scammers. Extra caution is needed.

Aside from outdated data, I’ve found that these social engineering libraries are not particularly effective in the following scenarios:

  • The target was born or started using electronic devices/the internet later in life.
  • The target left China early on or immigrated to another country.
  • The target is highly privacy-conscious or avoids using various apps.
  • The target is older and doesn’t frequently use electronic devices.
  • The target has changed their name, ID, or household registration.

Regardless, I proceeded to search within the smallest possible range using the information I had, and a few results with matching names appeared. Unfortunately, none of the other details lined up. So, this shortcut was ruled out. However, it wasn’t a complete dead end. I learned that people with the same name as the target were not very common. Therefore, if I could match the birth year, there was a good chance it would be the target.

image.png

Apart from social engineering databases, there are also black-market channels that provide internal information. Some government and law enforcement personnel may sell information for financial gain. Of course, being part of the black market, this space is also fraught with risks, including high costs and potential fraud. But even assuming the internal information is genuine, different types of queries require different prerequisite information. For example, if you want to look up the target's phone number (and from there potentially get their WeChat ID, Alipay account, QQ number, etc.), you would need their ID number. Obtaining an ID number, however, isn’t easy.

The following screenshot is from a Telegram channel, and while I haven’t annotated the English translation in the image, it serves as an example of the types of services offered by the admin. They can provide household registration details, phone number lookups, facial recognition, ID card images, marriage information, hotel booking records, and more.

image.png

The Power of Google Dorking and Keyword Pivoting

Since there were no shortcuts, we proceeded with a methodical search and analysis. In this case, Google Dorking proved extremely useful. Instead of simply searching for the target’s name, I included the city where she used to live and made sure the city name had to appear on the web pages.

intext:"<Assumed Registered City>"  <Her Name>

After filtering through the results, I found two potentially relevant records:

city search2.jpg

city search1.jpg

The first record seemed to be an article written by the target during primary school, which had been collected on a website. The second record appeared to be a document from the university where the target might be studying, listing the seating arrangements for an English contest. It included the participants' names, student IDs (though this was yet to be confirmed at this point), and seat numbers.

First, I checked the article. It mentioned the target's name, her primary school, the year of her graduation, and her class. After calculating, the target would indeed have graduated from primary school in that year, so the timing matched. Given that the name isn’t common, this article was likely written by the target during her primary school years.

composition.jpg

Next, I attempted to access the second record, but the webpage wouldn’t load. The preview content of the search results was likely cached, but fortunately, I at least had a clue about the university where the target might be studying. Since the second record wasn’t an official school release, it was likely a repost, which meant the university's official website probably had the original announcement.

So, I adjusted my Dorking query, using the potential university as a new keyword. The search query was as follows:

intext:"<The School she might attend>"  <Her Name>

Sure enough, I found the official announcement about the English contest on the university’s website. 

school search.jpg

In the announcement, there was an XLS document containing exam room distribution information, which included relevant details about the participants, as well as the suspected target’s full name and student ID.

candidate list info.jpg

Although I was fairly confident this was the target, I wanted more evidence. So, I adjusted my search query as follows:

inurl:"<xxx.edu.cn>"   <Her Name>

I came across a record, as shown in the image, from the university’s cybersecurity department, announcing the admission of students into an experimental class, and it included the target’s name. At this point, I was both shocked and excited because, as a cybersecurity professional myself, I hadn't expected the person I was searching for might actually be a fellow member of the industry, possibly one of the next generation of professionals.

admission accouncement.jpg

After clicking on the link, I confirmed the batch of students, including the target, along with their enrollment year. By doing some simple calculations based on the target’s birth year and primary school graduation year, I verified that the university enrollment year matched. Considering how uncommon the target’s name was, I was now almost certain that this was the person we were looking for.

At this point, we had gathered the following information:

  • The target attended and graduated from a local primary school.
  • The target is currently studying cybersecurity at a local university, enrolled in an experimental class.
  • The target participated in an English contest at the university.

We now had the target’s student ID and the university she attended, and university websites typically have a student login portal. I wondered if I could uncover more information through this portal, perhaps by analyzing the responses or error messages. As shown in the image, since I didn’t know the target’s password, I considered whether the "password reset" function might reveal further details, such as the target’s phone number, during the process.

reset password method.jpg

From the response, I did indeed retrieve the target's phone number, but only 6 digits were visible—3 at the beginning and 3 at the end—leaving 5 unknown digits in the middle, resulting in up to 99,999 possible combinations.

phone number hint.jpg

I decided to take a chance and see if I could find any internal documentation on the university’s site that might contain default passwords for student accounts:

intext:"<Default|Initial Password>" inurl:"xxx.edu.cn"

Sure enough, I found a record stating that the initial password for all student accounts was “123456.” However, given that the target was a cybersecurity student, I figured she would have changed this password early on, and indeed, she had.

initial password.jpg

This meant there was no shortcut to obtaining the full phone number, as I still had 5 missing digits, leaving up to 99,999 possible combinations. However, phone numbers follow certain patterns rather than being random. By filtering based on the target's region, I managed to narrow it down to 2,400 possible numbers. While still not ideal for manual testing, this was much more feasible.

phone number candidate list.jpg

I created a new Google account and added the 2,400 possible phone numbers as contacts. Then, I imported them into Google Contacts and synced them to my phone. Many apps, whether in China or other regions, support adding friends from the contact list. Depending on the app, we might be able to gather additional personal information linked to those numbers, such as the real name, profile picture, bio, or even birthday.

For example, on WeChat, you can view the avatar, nickname, and bio of the account linked to a phone number. Alipay, on the other hand, can display the real gender and part of the person's name associated with the account. By cross-referencing this information with the details we already knew, I could potentially identify the target's correct number and profile.

wechat hint.jpg

alipay name hint.jpg

However, even with this approach, there was still a considerable amount of manual work involved. Unfortunately, after checking the real names linked to some of the numbers on Alipay, the platform realized what I was doing and restricted my access to that feature.

However, this wasn’t a major setback. The underlying process of linking phone numbers with accounts on apps like WeChat and Alipay is managed through APIs. We don’t necessarily need to use the apps themselves. Instead, we can directly leverage APIs that perform two-factor verification, such as checking a phone number against a name. By searching on Google, I found some providers that offer such APIs, which can automate and expedite the process of verifying the correct number and identifying the target more efficiently.

number name 2fa.jpg

Unfortunately, while this approach was theoretically feasible, using those APIs often requires strict identity verification, and having lived abroad for many years, I no longer had a valid Chinese phone number to link. Moreover, these APIs don’t directly interface with Chinese citizen databases; instead, they rely on data collected by various companies, meaning the data pool can vary significantly in size and accuracy.

Of course, with some patience, the information we had at this point would have been sufficient to locate the target eventually. But I did take a little "shortcut" here—don’t be upset! I’ll explain alternative methods in the next section. My goal in helping my junior schoolmate wasn’t to prove anything, but simply to reunite them as soon as possible.

Since the target was a cybersecurity student at a fairly well-known university, I realized that students in this field are often quite active in the cybersecurity community. They may participate in CTF competitions, engage in bug bounty programs, or run personal blogs. Additionally, I’m a content creator with a decent following, so I decided to ask around in the community I manage if anyone was attending the same university as the target.

Sure enough, I found someone! After some communication and explanation, and with the target’s consent, I was able to get her contact details. I passed the information along to my junior schoolmate, and the two of them were happily reunited.

image.png

image.png

image.png

Alternative Paths

At this point, some readers might feel that the conclusion is somewhat anticlimactic, as the final step didn’t rely solely on OSINT techniques. However, during my review of the process, I discovered other potential avenues, which I'll now share.

In the English contest announcement, I noticed a QQ group used for enrollment, as well as the contact information of the responsible staff.

This opened up new possibilities for gathering further information. For example, by joining the QQ group or reaching out to the teacher, I could have explored the participants' details or even contacted the target directly. These additional pathways also demonstrate how OSINT techniques can involve leveraging social and professional networks, not just technical methods.

contest contact info.jpg

contest info qq group.jpg

Additionally, by using the following dorking, I was able to find the admissions guide for the experimental class at the target’s university:

inurl:"xx.edu.cn"  <***Experimental Class>

experimental class search.jpg

Upon further investigation, I found a QQ group listed for inquiries:

experimental class announcement.jpg

experimental class qq group.jpg

Later, after confirming with the target, she mentioned that she was indeed part of these two QQ groups. This means that even without the help of personal connections, I could have joined these groups and filtered through the members to locate the target’s contact information.

This demonstrates another potential path that could have been taken, using group memberships and social platforms as part of an OSINT investigation to reconnect with the target. It’s a reminder that sometimes, even simple social methods can be as effective as technical approaches in achieving the desired outcome.

Summary

In conclusion, without relying on shortcuts like leaked data, I was able to locate my junior schoolmate’s childhood friend, whom she had lost contact with for over 8 years, using just two pieces of information: the target’s name and birth year. Throughout my conversations with my junior schoolmate, I could sense how much she missed this friend and cherished their childhood friendship. After they were finally reunited, she kept telling me how surreal it all felt, which made me laugh.

The target, on the other hand, somewhat sheepishly remarked that she hadn't done a good job protecting her online footprint. But in reality, she hadn’t made any significant OPSEC or privacy mistakes. Publishing an essay during elementary school is completely normal and reasonable. In fact, it was more her university that inadvertently revealed quite a bit about her recent activities.

Using OSINT techniques to find lost friends isn’t new to me, and I’ve had other experiences that were more complex and challenging but still ultimately successful. However, this case left the deepest impression on me, because it made me realize that cybersecurity skills, often seen as technical and impersonal, can also bring warmth and human connection.