This OSINT (Open Source Intelligence) toolkit is specifically designed for worker advocacy, labor organizing, and corporate accountability investigations. It turns surveillance and investigation tools - typically used against workers - into tools that empower workers' rights.
- Why This Matters
- OPSEC - Operational Security
- Legal & Ethical Boundaries
- Tool Overview
- Investigation Workflows
- Use Cases
- Evidence Preservation
- Corporations use OSINT to investigate workers, unions, and organizers
- Insurance companies use it to deny claims and surveil claimants
- Law enforcement uses it to monitor activists and labor movements
- Workers lack access to these same investigative capabilities
This toolkit provides workers with:
- Corporate transparency: Investigate company structures, ownership, finances
- Safety documentation: Track OH&S violations and workplace incidents
- Wage theft evidence: Find enterprise agreements, award rates, payment records
- Organizing intelligence: Research company anti-union activities and history
- Legal support: Gather evidence for Fair Work claims and legal cases
Every OSINT investigation creates traces:
- IP addresses logged on websites
- Search queries tracked by Google
- DNS requests visible to ISPs
- Certificate lookups recorded in logs
-
Use VPN - Routes traffic through another server, masks your IP
- Recommended: ProtonVPN, Mullvad, IVPN
- Free options: ProtonVPN free tier, Windscribe
-
Dedicated Browser - Separate from personal browsing
- Firefox with privacy addons
- Brave browser
- Tor Browser for sensitive investigations
-
Clear Data - After each investigation
- Clear cookies, cache, history
- Close all tabs
- Restart browser
-
Document Everything - For legal protection
- What you searched
- When you searched it
- What you found
- Why it was relevant
- Tor Browser - Anonymous routing (slower but more private)
- Dedicated Device - Separate laptop/phone for OSINT work
- Tails OS - Operating system designed for anonymity
- Burner Accounts - Temporary emails/accounts for registration
- Time Zone Awareness - Search during target's business hours to blend in
❌ Use your personal device without VPN
❌ Log into personal accounts during investigations
❌ Access company systems without authorization
❌ Save sensitive data to cloud services
❌ Discuss investigations on monitored platforms
Public Records ✓
- Business registries (ABN, CRO)
- Domain registration (WHOIS)
- Certificate transparency logs
- Court records and judgments
- Fair Work Commission decisions
- Company annual reports
Public Websites ✓
- Company websites and social media
- Search engines (Google, Bing)
- Archive.org (Wayback Machine)
- Public GitHub repositories
- News articles and media
Passive Intelligence ✓
- DNS lookups
- Certificate searches
- Subdomain enumeration
- Social media profiles (public)
Computer Crimes ✗
- Unauthorized system access
- Using stolen credentials
- Exploiting vulnerabilities
- DDoS attacks or system disruption
Harassment & Impersonation ✗
- Stalking individuals
- Impersonating others
- Social engineering with false pretenses
- Threats or intimidation
Data Crimes ✗
- Using stolen databases
- Paying for hacked credentials
- Accessing confidential files
- Breaching non-public systems
Web Scraping
- Check robots.txt and Terms of Service
- Respect rate limits
- Some sites prohibit automated access
- Risk: Account bans, legal threats
Leaked Databases
- If you find leaked data: Legal to analyze what you find publicly
- If you pay for leaks: Potentially illegal
- If you hack to obtain: Definitely illegal
Social Engineering
- Calling company claiming to be someone else: Illegal
- Asking questions as yourself: Legal
- Context and honesty matter
Purpose: Verify Australian business legitimacy, get ACN, GST status When to use:
- Verifying company exists
- Finding official business name
- Checking GST registration
- Getting ABN for legal documents
Example:
ABN: 16009661901 (Qantas)
Returns: Business name, ACN, status, entity type, location
Purpose: Irish company registry search When to use:
- Investigating Irish companies
- Finding directors and shareholders
- Checking company status
Purpose: Domain registration details Returns: Registrant, registrar, nameservers, dates Use for:
- Identifying domain ownership
- Finding registration dates (company age)
- Checking privacy protection
- Finding abuse contacts
Purpose: Map company's internet infrastructure Returns: IP addresses, mail servers, nameservers, SPF/DMARC records Use for:
- Understanding email infrastructure
- Finding cloud providers (AWS, Azure, etc.)
- Discovering third-party services
- Mapping attack surface
Purpose: Discover ALL subdomains via SSL certificates Returns: 140+ subdomains for large companies Use for:
- Finding hidden portals and services
- Discovering development environments
- Locating API endpoints
- Internal tool discovery
Example findings for Qantas:
aimintranet.qantas.com.au- Internal intranetconfluence.qantas.com.au- Internal wikiapi-stg.qantas.com.au- Staging APIhr.qantas.com.au- HR systems
Purpose: Active enumeration of subdomains Combines: Certificate transparency + DNS checks Use for: Complete infrastructure mapping
Purpose: View historical website snapshots Returns: Archived pages from 1996-present Use for:
- Finding deleted policies
- Tracking company changes
- Recovering removed content
- Proving policy violations
Example: View Qantas website from 1997
Purpose: Find company social media presence Platforms: LinkedIn, Twitter, Facebook, Instagram, YouTube Use for:
- Official accounts
- Employee networks
- Customer complaints
- Corporate messaging
Purpose: Advanced targeted searches Use for:
- Finding leaked documents
- Discovering PDFs with employee info
- Locating enterprise agreements
- Fair Work decisions
Worker-Focused Dork Examples:
site:company.com filetype:pdf (employee OR union OR agreement)
site:fairwork.gov.au "company name"
"company name" "underpayment" OR "wage theft"
site:company.com "OH&S" OR "safety" filetype:pdf
Purpose: Find contact emails Returns: Common patterns, search strategies Use for:
- Contacting HR
- Finding union reps
- Whistleblower contacts
- OHS officers
Purpose: Check if company emails appear in data breaches Use for:
- Assessing security practices
- Finding compromised accounts
- Evidence of poor data protection
Purpose: Analyze hosting infrastructure Returns: ISP, location, hosting provider Use for:
- Understanding hosting setup
- Geographic location
- Cloud vs on-premise
Goal: Verify company is legitimate Tools:
- ABN/CRO Lookup → Basic company info
- WHOIS → Domain ownership
- Social Media Search → Official presence
Output: Company legitimacy confirmed, basic details
Goal: Comprehensive company profile Tools:
- Business Registry → Legitimacy
- WHOIS + DNS → Infrastructure
- Certificate Transparency → Subdomains
- Google Dorking → Documents
- Social Media → Online presence
- Wayback Machine → History
Output: Complete company profile, infrastructure map, document collection
Goal: Labor dispute preparation, legal case building Tools: All tools + manual research Process:
- Week 1: Infrastructure mapping, document collection
- Week 2: Historical analysis, timeline building
- Week 3: Evidence preservation, report compilation
Tools: Google Dorking, ABN Lookup, Wayback Machine Process:
- Find enterprise agreements via Google dorks
- Get company ABN for legal documents
- Search Fair Work decisions
- Check historical pay rates via Wayback
- Document discrepancies
Tools: Google Dorking, Wayback Machine, Social Media Process:
- Search for safety reports:
site:company.com "OH&S" filetype:pdf - Find incident reports
- Check Wayback for deleted safety pages
- Monitor social media for complaints
- Cross-reference with Fair Work cases
Tools: Certificate Transparency, Email Harvest, Social Media, Google Dorking Process:
- Map company structure (subdomains)
- Find employee emails
- Research anti-union history
- Identify sympathetic employees
- Locate HR contacts
Tools: ABN Lookup, Google Dorking, DNS, Financial records Process:
- Verify company structure (ABN)
- Find existing agreements
- Research company finances
- Map parent company relationships
- Identify negotiation contacts
- Websites change or disappear
- Documents get deleted
- Social media posts removed
- Companies scrub embarrassing content
- Full page screenshots (not just visible area)
- Include URL and timestamp
- Save as PNG (lossless)
- Name files systematically:
companyname-pagetype-YYYYMMDD.png
- Save to Archive.org: https://web.archive.org/save
- Use archive.today for backup: https://archive.today
- Download full web pages (File → Save Page As → Complete)
- Download PDFs immediately
- Save to multiple locations (local + cloud)
- Note source URL in filename
- Create MD5 hash for legal authenticity
Always document:
- Date/time of collection
- URL where found
- Tool used to find it
- Context (why relevant)
- Your location (if using VPN, note exit location)
investigation-companyname/
├── evidence/
│ ├── documents/
│ ├── screenshots/
│ └── archived-pages/
├── notes/
│ ├── timeline.md
│ ├── findings.md
│ └── contacts.md
└── reports/
└── final-report.md
- VPN connected
- Dedicated browser open
- Evidence folder created
- Investigation documented (who, what, why)
- Legal boundaries understood
- OPSEC measures in place
- Start broad: Company name, industry, location
- Verify legitimacy: Business registry lookup
- Map infrastructure: Domain and DNS
- Discover assets: Certificates and subdomains
- Search for docs: Google dorking
- Check history: Wayback Machine
- Assess security: Breach check
- Find contacts: Email harvest, social media
- Take breaks during long investigations
- Review OPSEC regularly
- Document as you go (not at the end)
- Ask for help when needed
- Prioritize worker safety over investigation speed
- Website: https://www.fairwork.gov.au
- Phone: 13 13 94
- Website: https://www.workplacerelations.ie
- Phone: 1890 80 80 90
- Maurice Blackburn (AU): https://www.mauriceblackburn.com.au
- Shine Lawyers (AU): https://www.shine.com.au
- Free Legal Advice (IE): https://www.flac.ie
This toolkit is for legitimate worker advocacy and legal purposes only. Always operate within legal boundaries and prioritize safety.