LinkedIn (linkedin.com) en i siness-related social networking sites, LinkedIn is the most popular, j_ ee eencead currently has more than 675 million sibsesben invtnaionlly. The sig archers to create a free profile before accessing any data. As with any social nevwork, imal details. The search field of any page offers. carches will often lead t© mutile require: f c I recommend creating a basic account with mini arch using a real name, company, location, or title. These ’ ad ach identify several abe The site was redesigned in 2020, aia Provides ey options. The upper center portion of any search result page will offer some basi refinement the search to filter by People, Posts, Companies, Groups, Jobs, Schools, and Events. These can ried by direct URL. The following includes a summary of each filter and the direct also be q search URL which we will add to our custom search tools john wilson) Further filtering includes People: (https://www.linkedin.com/search /results/people/?keyword: This is the most common filter which presents profiles of people location and employer. This URL would find people named John Wilson. Posts: (https:/ /wwwlinkedin.com/search /results/content/?keywords=john wilson) This option is similar to Facebook and presents posts including the provided search terms. This helps find content about (or by) our target. Further filters include search by date, author, and industry. Companies: (bttps://www linkedin.com/search /results/companies/?keywords=john wilson) This query strictly identifies companies which include the searched keywords. Further filters include location, industry, and company size. Groups: (https:/ /www.linkedin.com/search /results/groups/?keywords=john wilson) This option presents LinkedIn groups which contain your keyword within the title ot description. Ir does not search for member names. Jobs: (hurps:/ /www-linkedin.com /jobs /index /?keywords=john%20wilson) ‘This presents current job openings and includes numerous additional filters. While beneficial for employment-seckers, I find this less useful than the other queries when my target is a person. However, it can be quite useful when investigating a company. Network penetration testers can use this to identify software applications used by the client, which could lead to identification of vulnerabilities. Schools: (hups://www.linkedin.com/search/results/schools/2keywotds=john wilson), This queties schools with the keywords in the title. Events: (bitps://www-linkedin.com/search tesults/events/?keywords=john wilson) ‘This queries events with the keywords in the title,Knowing the real name of your target will be most beneficial. The results page should include the target's employer, location, industry, and possibly a photo. After identifying the appropriate target, clicking the name will open that user's profile. If searching a common name, the filters will help limit options. Profiles ‘The profiles on LinkedIn often contain an abundance of information. Since this network is used Primarily for business networking, an accelerated level of trust is usually present. Many of the people on this network use it to make business connections. Some of the profiles will contain full contact information including cellular telephone numbers. This site should be one of the first stops when conducting a background check on a target for employment purposes. The target profile often contains previous employment information, alumni details, and work associates. Aside from searching names and businesses, you can search any keywords that may appear within someone's profile. Since many people include their phone numbers or email addresses in their profile, this can be an easy way to identify the user of that specific data. Visiting this profile identifies further information as well as confirmation of the target number. You can also search LinkedIn for a specific username, which may be directly associated with a profile. As an example, the following URL connects directly to a target. hitps://www.linkedin.com/in/ambermac/ Posts In years prior, LinkedIn was a place to create a profile and communicate directly with another person. Today, it is a true social network with Posts, Likes, and Comments. Conducting a keyword search through any LinkedIn page or my own custom tool will present anything applicable. From there, consider the following, * Clicking the three dots within a post allows you to copy a static URL of the content, which is beneficial during documentation. © Expanding all comments before generating a screen capture presents additional evidence within your documentation. © Many posts ate redacted to save space. Click "...see more” to enable this hidden content before generating a screen capture. * Clicking the number next to the "clapping hands" icon presents alist of people interested in the post, which looks almost identical to the Instagram options, © The Instagram capture techniques previously presented work the same for LinkedIn,Searching by Personal Details ‘You might get lucky and find your target with a simple name search. Unfortunately, this is rarely the case. With hundreds of millions of profiles, LinkedIn must make some assumptions when choosing the profiles to display after a search. This is especially true with common names, Let's conduct several queries as patt of a demonstration of LinkedIn's URL structure. Searching "John Smith" produces practically useless results at the following URL. hueps:/ /wwwlinkedin.com/search /results/people/?keywords=joha%20smith Instead of the default "keywords" parameter, let's force a change with the following URL. hetps://wwwlinkedin.com/search /results/people/?firstName=john Changing to "firstName" displays content associated with people named John. This is stil fairly unhelpful and includes a lot of content which is not applicable to our target. Now, let's specify the full name of our target in the following URL. hetps://www.linkedin.com/search/esults/people/?firstName=john&dastName=smith The results now only include links to profiles of people with the real name of John Smith. This is much more useful and may be all you need to identify your target. With a name such as John Smith, we need to go a few steps further. The following URL adds his employer (Microsoft). https://www.linkedin.com/search/results/people/?firstName=johnédastName=smith &company=microsoft If you wanted to go farther, we could specify his title (Manager) and school (Oklahoma) in the following URL. If you know these details about your target, you could start with this, but I find that providing too many details can work against you. Figure 13.01 displays the result of this URL, which identified the only person on LinkedIn which fit the criteria. hetps://www.linkedin.com/search /results/people/2firstName=john&dlastName=smith &company=microsoft&title=manager&school=Oklahoma ‘The previous URL query is the most precise option we have. This has been the most beneficial structure I have found to navigate directly to my target. However, it can fail. If your suspect did not provide the school attended or current employer to his profile, you will not receive any leniency from LinkedIn within this search. However, we can rely on Google to help us. Your target may have mentioned an employer somewhere else within the profile ot listed a school within the "Interests" area, The following reveals many profiles associated with the target. site:;wwwlinkedin.com john smith Microsoft manager OklahomaSearching by Company If you are searching for employees of a specific company, searching the company name often provides numerous profiles. Unfortunately, clicking on any of these profiles presents a very limited view with the name and details redacted, The name of the employee is usually not available, but the photo and job description are usually visible. You are now required to upgrade toa premium account, or be in the same circles as the target, in order to get further information. Instead, consider the following technique. Search for the business name of your target company, or the employer of your target individual. Ltyped "Uber" into the search bar and received the official business page on LinkedIn. Clicking the "See all 88,788 employees on LinkedIn" link presented me with numerous employee profiles such as those visible in Figure 13.02. Notice the names are redacted and only "LinkedIn Member" is available. Clicking this first result prompts me with "Profiles out of your network have limited visibility. To see more profiles, build your network with valuable connections". We struck out, but there are ways that you can proceed in order to unmask these details. First, copy the entire job description under the "LinkedIn Member" title, In this example, it is "Account Executive at Uber". Use this in a custom Google search similar to the following. site:linkedin.com "Account Executive at Uber" The results listed will vary from personal profiles to useless directories. Since Uber is such a large company, I had to view many pages of results until I identified my target. When I opened the 24% search result, the LinkedIn page loaded, and her photo confirmed it was the correct target. ‘The easier way would have been to search the images presented by Google. After the above search is conducted, click on the Images option within Google and view the results. Figure 13.03 (eft) displays a section, which easily identifies the same image as the LinkedIn target. Clicking this will load the profile page with full name and details. Another way to accomplish this is to navigate through the profiles in the "People also viewed" column. These pages include other profiles viewed that are associated with whichever person you are currently analyzing, These people may not be friends or co-workers with your target, but there isa connection through the visitors of their pages. As an example, I returned to the Google search at the top of this page. I clicked on the first search result, which was not my target. However, in the "People also viewed" area to the right, I saw my target, including her fall name and a link to her complete profile. Figure 13.03 (right) displays this result. Finally, the last option is to conduct a reverse image search on the photo associated with the target's profile. Full details of this type of search will be presented later. For this demonstration, 1 will right-click on her photo and choose "Copy image location". On the Google Images page, I can click the camera icon and submit this URL. While the first result is not the targer, clicking the page does presenta link to the target's unmasked page. I will later explain many detailed ways to fully query reverse image search options within the upcoming Images chapter.‘Showing 1 result John Smith Sales Manager at Microsoft Oklahoma City, Oklahoma Area Figure 13.01: A LinkedIn result via direct URL. Linkedin Member Customer Relations Linkedin Member ag Account execute at UBER Peonle Asa Viewed 8 witlam sousquer ‘nals Tine Figure 13.03: Google Images results (left) and un-redacted LinkedIn results (tight). Searching by Country While LinkedIn is an American company, it is a global social network. If you know that your target is in a specific country, you can filter your search accordingly. This can be done manually by navigating to a forcign subdirectory such as uk.linkedin.com (UK), ca.linkedin.com (Canada), or brilinkedin.com (Brazil). Each of these pages query the entire LinkedIn network, but each places emphasis on local individuals. PDF Profile View You may want a quick way to collect the publicly available details from the profiles that you find. One option is to have LinkedIn generate a PDF of the information. While on any profile, click the "More..." button and choose "Save to PDE". This will not extract any private details, but will make data collection fast.Google Search When all else fails, g0 to Goo, le. It scrapes and ind ecoG Linkedin a aed The following search would i pes and indexes most of Linkedln's profiles and pages. ntify profiles of our targer, followed by the direct URL. =wwwlinkedin.com john smith microsoft herpsi//wwr google.com/search?q=site%3 Awan linkedin,com+john-+smith-+microsoft Google Images The steults snay be overwhelming. Often Itktiow the face of my. target ana 1 simply want to browse images from LinkedIn. The following URL queries Google for any images (Stbm= ch) associated with my target's name (ohn+smith) on LinkedIn (stelinkedin,com). Ina moment, we will easily replicate all of this with my tools. hetps://www.google.com/search?q=siteinkedin.com+john+smithéetbm=isch Google Videos Many LinkedIn posts contain embedded videos. While a keyword search directly on LinkedIn may not find them, a query on Google should. The following URL. teplicates our image search, but focuses only on videos (8tbm=vid) hutps:/ / www google.com/search?q=site:linkedin.com+john-+smith8etbm=vid Bing Search While Google is typically our most powerful search engine, I prefer Bing for LinkedIn queries. Microsoft owns both Bing and Linkedin, and indexes LinkedIn data well. The following search on Bing replicates our Google attempt, followed by the direct URL. siteslinkedin.com john smith microsoft ; hutps:/ /www.bing.com/search?q=site%3Alinkedin.com+john+smith+microsoft ‘Yandex Search Finally, we should always consider Yandex as a LinkedIn search engine. The following search on Yandex replicates our Google attempt, followed by the direct URL. site:linkedin.com john smith microsoft https://www.yandex.com/search/?text jte’/3Alinkedin.com+john-+smith+microsoftViewing Without Account Every Linkedla method presented until now requires you to possess a valid Linked and to be logged in to see any content. Without an active account, all LinkedIn n prompt to log in. This ean be an issue if you do not have an account or your departineany prohibit the use of any credentials during an investigation. We can solve this with ss Mobile Friendly Test (search.google.com/test/mobile-friendly).. " Google’, aco n Pages display ; Enter any Linkedla URL, such as the profile located at hetp//linkedin.com/in/amben result appears as the mobile view ofthis profile including the target's name, image and bn gS 13.04 (lef) displays the results from the target LinkedIn URL. without an account while fo 15,04 (middle) displays the results of the same URI. on Google's test page. We ean aly ge search google.com /test/mobile-friendly2url=Itp://linkedin.com/in/ambermac dircedy on our browser to replicate this process This is a great stat, but the results ae limited. The pre only displays a portion of the LinkedIn profile, Instead, consider the following. bed * Click on the "HTML" tab above the profile on the test page. © Click the "Copy" icon above the source code. # Navigate to CodeBeautify (codebeautify.org/htmlviewer) and paste the HTML code, © Click "Run" and view the entire LinkedIn profile without requiring an account, Partial results are displayed in the highly compressed image in Figure 13.04 (right). The entire page is visible. You should be able to replicate this for any public LinkedIn page. This works because Google's servers have the authorization to bypass LinkedIn's credentialing requirements during their indexing of LinkedIn. Now, we do too. Join to view full profiles for free First name Last name Amber Mac Email or phone number @]| Amberttac Media inc Other » 500+ connections Password (6 or more characters) By clicking Agree & Join, you agree tothe Linkedin Us ‘Agreement, Privacy Policy, and Cooklo Policy. Already have an account? Sign in Amber Mac is an entrepreneur (Amber Figure 13.04: A LinkedIn profile login, mobile version bypass, and full profile view.