How to Investigate Someone Online: A Beginner's Guide to Legal Online Investigation

You've found yourself in a situation where you need to know more about someone. Maybe it's a potential business partner you can't quite verify. A new neighbour who seems off. Someone from an online dating app. A contractor who has disappeared with a deposit. Or maybe you've just fallen down the rabbit hole of a true crime podcast and you're curious how investigators actually find people online.

Whatever brought you here — the good news is that legitimate online investigation is accessible to anyone. The techniques used by professional investigators, OSINT analysts, and journalists for gathering publicly available information are not secret. They're just not widely taught.

This guide explains what online investigation actually is, what's legal, what works, and how to do it properly.

What Online Investigation Actually Is

Online investigation — or OSINT (Open Source Intelligence) as it's known in professional contexts — is the practice of gathering information from publicly available sources. That means websites, social media profiles, public records, domain registration data, business filings, news archives, and other information that is publicly accessible without any breach of security or privacy law.

It sounds simple, but the gap between a casual Google search and a systematic online investigation is enormous. The difference lies in methodology, the range of sources consulted, the techniques used to connect information, and — critically — how findings are documented.

The Legal Boundaries: What You Can and Cannot Do

Before you start, it's worth being clear about what is and isn't legal. The short version: looking at publicly available information is legal. Accessing private information — even if you find a way to do it — is not.

What is legal

• Public records. Searching business registries, court records databases, property records, electoral roll (where publicly accessible), and government databases is entirely legal. This information is published specifically to be accessible.
• Public social media profiles. Viewing, screenshotting, and analysing content that someone has posted publicly is legal. If a profile is set to public, the content is intended to be seen.
• Domain and website lookups. WHOIS data (domain registration records), business websites, and cached web content are public information.
• Search engines and archives. Using Google, Bing, or archive.org to find publicly indexed content is completely legal.
• Reverse image search. Searching for where an image appears online is legal and freely available via Google Images, TinEye, and similar tools.

What is not legal

• Hacking or unauthorised access. Accessing any account, system, or database without authorisation — regardless of how easy it is — is a criminal offence in most jurisdictions.
• Impersonation. Creating a fake identity to trick someone into revealing information is both unethical and potentially criminal.
• Accessing private accounts. If a social media profile is set to private, you cannot access it without the person's consent. "Finding a way in" — through a fake account, social engineering, or technical means — is not legal.
• Stalking or harassment. Using information gathered online to stalk, harass, or intimidate someone can convert otherwise legal research into criminal conduct.

The Techniques Real Investigators Use

Professional investigators don't just Google someone's name. They use a systematic approach that expands outward from what is known, connecting information across multiple sources.

Google dorking

Google's advanced search operators allow you to search with surgical precision. The most useful for investigation: site: (search within a specific website), inurl: (find URLs containing a specific string), "exact phrase" (find pages containing an exact phrase), filetype: (find specific file types), and -term (exclude results containing a term). Combining these operators dramatically improves search results compared to a plain name search.

Example: searching "John Smith" site:linkedin.com "Sydney" will find LinkedIn profiles for people named John Smith based in Sydney — far more targeted than a general search.

Reverse image search

If you have a photo of someone, reverse image search can find other places that photo appears online — including other social media profiles, news articles, or websites that may reveal additional identity information. Google Images, TinEye, and Yandex Images each return different results; professionals use all three. Yandex in particular often returns face-match results that Google does not.

Username lookups

People often use the same username across multiple platforms. If you know someone's username on one platform, tools like Sherlock (a command-line tool) or WhatsMyName can search for that username across hundreds of platforms simultaneously. This can surface accounts on platforms you wouldn't have thought to search.

Social media profiling

Beyond simply viewing a profile, systematic social media analysis involves: examining tagged photos (which may show associates, locations, and activities), analysing mutual connections, reviewing public comments and interactions, checking what groups a person belongs to, and looking at the time patterns of posting activity. Posts, comments, and reactions on other people's public content are often overlooked but can be highly revealing.

WHOIS and domain lookups

If you're investigating a business or someone who operates a website, WHOIS data may reveal the domain registrant's name, email, and address. Even when registration is privacy-protected, historical WHOIS records (available through services like DomainTools) can reveal information from before privacy protection was added. Looking up who registered a domain can connect an anonymous online presence to a real identity.

Archive.org and cached pages

The Wayback Machine at archive.org stores historical snapshots of websites, often going back years. If a website has been altered or taken down — a common tactic by fraudsters and people trying to cover their tracks — historical archives may preserve the original content. Similarly, Google's cached version of pages can show what a site looked like before a recent change.

How to Document What You Find Properly

This is where most amateur investigations fall apart. Finding information is only half the work — documenting it correctly is what makes it useful, especially if you ever need to share it with a lawyer, employer, insurer, or law enforcement.

A screenshot alone is almost never sufficient. Here's why: a screenshot file has no embedded proof of when it was taken, where it came from, or that it hasn't been altered. Anyone can take a screenshot of a modified page, or change the date on a file. Without additional verification, a screenshot is easy to challenge.

What investigators capture instead:

• The full URL of the page (not just a screenshot of content)
• A verified timestamp showing when the capture was made
• A cryptographic hash (SHA-256) of the captured file, generated at the moment of capture — this is mathematical proof the file hasn't been altered
• Browser and device information, recorded automatically
• A chain of custody log showing who captured what and when

For casual research with no legal implications, a well-organised folder of screenshots with descriptive filenames and a log of when and where you found things is a reasonable starting point. But for anything that might end up in front of a lawyer, a court, or a formal process — you need to capture evidence to a higher standard from the very beginning.

The Difference Between Casual Searching and Building a Defensible Evidence Record

Casual searching answers a question. A defensible evidence record proves an answer.

When you're just curious — checking out someone's LinkedIn, looking at a business's website — the quality of your documentation doesn't matter much. But when you need your findings to support a formal process, the documentation is as important as the findings themselves.

Courts, lawyers, employers, insurers, and law enforcement all need to be able to answer: how do we know this is real? How do we know it wasn't altered? How do we know it was found when and where claimed? A defensible evidence record provides technical answers to these questions — through timestamps, hashes, source URLs, and chain of custody logs.

The cost of poor documentation is not just that your evidence might be challenged — it's that even genuine, accurate evidence may be unusable if it wasn't captured correctly. Evidence that could have supported your case becomes worthless if you can't authenticate it.

Capture Evidence Correctly from the Start

You don't need to be a tech expert to capture web evidence properly. WebInvestigator is a Chrome extension that automates all of this: it records the URL, timestamp, SHA-256 hash, and device metadata with every capture, organises evidence by case, and maintains a chain of custody log automatically.

Whether you're a professional investigator running formal cases, or someone who needs to document what they found for a practical reason, it makes the difference between evidence that can survive scrutiny and a screenshot that can't. It installs in under a minute and works in your existing browser, on any website.