Corporate profiling is critical part of many investigations. The use-cases are vast including corporate due diligence, pre-hire screening, insider threat identification and more. Learning how to efficiently find and collect information for analysis based on your use case is what this blog post will focus on. There will be a heavy focus on LinkedIn advanced searching & navigating but also look at other data points to support your investigations.
There are some great free and commercial tools available to automate a lot of this process, however in this blog we are focused on how to achieve it manually so we aren't reliant on tools and so we don't exclude investigators through a high-barrier to entry with technical skill requirements.
Collection Plan
Having a plan for what to collect is important. There are many aspects that will and will not be relevant for an investigation so this structure is a guide on some of the information points that can tie a strong corporate profile report together.
Now we have an idea of some of the things we want to collect, we need to know where to find the information. We will break this down into each section and look at a sample of some of the data sources you can target. This list is not comprehensive but should provide a start point and a workflow that is repeatable.
The company overview is critical. It is important to understand the company from a macro level before delving deep into other sources. The reason for this is that you will pick up on different bits of information that you may have otherwise brushed over throughout the micro work.
Mapping out a corporate structure is important for understanding how an organisations management and employee structure works. I.e. is corporation middle-management heavy, is it top-heavy, who are the key leaders?
Recruitment pipelines. This is often overlooked particularly for people who may want to understand how to influence an organisation at a grass roots level. Looking at educational institutions can paint a really interesting picture of potential culture, points of vulnerability from outside influence and also geographical aspects to recruitment for an organisation.
For example if you are looking at potential grass-roots influence in an organisation and the majority of the staff come from a particular educational institution it can present opportunities to target either a cultural topic (school comrades & loyalty) or simply messaging at the point of recruitment rather than once a staff member is established in an organisation.
Professional networks are often different to personal ones. They are useful when conducting a comparison between a personal and professional network to identify key connections that may play a part it influencing how a corporation operations due to personal relationships.
This is also important when looking at acquisitions and mergers to understand any underlying risks or threats based on personal influences.
There is three key sub-components to sentiment. What the media is reporting, what the public are reporting through social media at a macro level, and what is happening in a specific geo-location (i.e. for a mining company etc) are very different reporting streams. Collecting information to analyse on each is important.
Often overlooked but very important is mapping out what a corporations technology profile looks like, particularly around where infrastructure resides (data sovereignty considerations etc) and is there any identifying illegal activity such as Torrent downloads occurring on a corporate network that might result in embarrassment.
Advanced LinkedIn Searching
Once we have a good understanding of what we want to collect it's time to get into the details of how we're going to do this.
People
Filters
When we start searching for people on LinkedIn it is often handy to go straight to the right section so that results are not combined. I.e. searching for people doesn't become combined with results of companies.
Going to this URL will allow you to search directly for people:
Once there a great place to start is the "All Filters" button so you can start applying your detailed search criteria and reduce the millions of potential users down to your targeted requirements:
You will now see a bunch of filters that you can start using. However one of the quick/key filter areas for rapid results is not always obvious. Scroll down a little and you will see the following box:
Searching in this filter box will add easy-to-repeat parameters to the URL. For example if you search for "Microsoft" in the Company box it will construct the search URL like this:
You will notice the company=Microsoft part. You can modify this yourself without having to go through the filters box. This can create efficiencies if you are automating scripts. The same concept applies for:
title=<job title>
firstName=<first name>
lastName=<last name>
school=<school>
For example if you wanted to script out some searches you could do the following URL to find people who's job title is "Director", had a name of "John Smith", worked at "Microsoft" and attended "Harvard" with the following URL:
Going back slightly you would have noticed that there was already a filter further up to search for company. This other filter allows you to search for someone that is part of a company which has a presence on LinkedIn. Why this is limiting sometimes is that not all organisations advertise their company on LinkedIn but their staff may still advertise that they work there. When you do a search using this box you will have a URL that looks like this:
You should notice the company ID in the URL is 1035. This is the company ID that LinkedIn uses to reference in their database. This can be useful when you are searching for organisations that have the same name or a common name and you want to ensure your searches are tied to a single organisation.
This is an important difference to understand and I recommend you compare both results like below:
Searching using the company=Microsoft approach yielded 241,591 results of personnel.
Searching using the company specific search box at the top and selecting Microsoft as a company yielded 154,686 personnel.
Profile Languages
The filters above allow you to search for profile languages which might be important for tying a profile to a potential geo-location. Be aware that when a user creates a profile they have the option to select which countries their profile will be displayed so this is not an entirely accurate representation.
The profile language options are limited though so once you click search you have the option to expand different languages by customising the URL: &facetProfileLanguage=%5B“LANG CODE"%5D
With the following language codes available but hidden:
"en" English
"zh" Mandarin
"de" German
"it" Italian
"ko" Korean
"no" Norwegian
"pl" Polish
"pt" Portuguese
"ru" Russian
"es" Spanish
"sv" Swedish
"tr" Turkish
"cs"Czech
"nl" Dutch
"fr" French
"da" Danish
Geo Location
You can search LinkedIn for people based on a Location filter but this will only allow you to narrow down to the city usually. If you want to find people who have a more granular location within their profile simply search for the location as a keyword instead and you often find a lot more detail.
There is still an advanced search URL that seems to work, although the accuracy of the distance metrics is hard to measure. You can modify the below URL to find people based on distance from a location in theory: - note you need the postcode AND the country code.
https://www.linkedin.com/search/results/people/?countryCode=<2 letter code>&distance=<distance>&keywords=<keywords>&postalCode=<zip/postcode>&title=<job title>
Example to find paralegals who are 30mi from Sydney, Australia (postcode 2000): https://www.linkedin.com/search/results/people/?countryCode=au&distance=30&keywords=legal&postalCode=2000&title=paralegal
Profile to Email Association
A method to validate which profile is associated to an email address can simply be achieved by modifying the following URL:
https://www.linkedin.com/sales/gmail/profile/viewByEmail/<email address>
If you find a profile associated with an email address you are looking for you will be presented with this screen:
Languages
A few months back LinkedIn removed a number of really useful boolean search parameters. Now the best way to find information within a profile is simply to leverage keywords in the search bar.
For example, if you want to find people who speak Mandarin, try this in the search bar:
Languages:mandarin
What this will do is find profiles where people have listed they speak another language by looking for those keyword associations within the profile.
Compound that with the previously discussed filters and you can now narrow down you targets and also potentially build out an understanding of what languages employees of a company speak which might be important to assessing competition for the types of markets that they would perform well in by having linguistic capabilities.
Companies
Analysing companies on LinkedIn is a snap as their interface is quite effective at breaking down structures, educational sources and locations. The start point is the following URLs to look at companies specifically and not return results of people:
Once you have found the company you are looking for, IBM in this case, click into it and you will be presented with this screen:
The red circles are highlighting some key areas to start looking. Jobs will give you details of the recruitment pipeline mentioned in our collection plan, and People will allow you to start finding individuals and understanding demographics of a company.
If you want to search for all the staff of a company who are from a particular geo-location you can simply click "Where they live" and "Add" the location that you are looking for. Likewise, if you want to see if anyone from that organisation studied at a school you click "Add" and find the school for interest.
This can be useful if you have a data point for a target that suggests they work at a company and studied at a particular school, this is another way to narrow down and confirm that information.
It is also useful for understanding the % of people who work at a company and are from a location or studied at a particular school. This provides insights into cultural aspects of the organisation that may not be obvious from the outside or public persona of the organisation.
For example you can narrow down filters accordingly:
Another useful aspect is it provides a rapid snapshot of how many employees are working at the organisation and have a LinkedIn presence.
Google Dorking
A great part about LinkedIn is that you can Google Dork a lot of results. Some examples are below on how to do this:
Find the "VPs" of "Microsoft" from "Sydney": site:linkedin.com/in OR site:linkedin.com/pub intitle:"Vice President" AND intitle:"Microsoft" AND "Sydney"
Find people named "Jane" who work at "Microsoft" and speak "Mandarin": site:linkedin.com/in OR site:linkedin.com/pub "Jane" AND intitle:"Microsoft" AND (intext:"Language*" AND "Mandarin")
Find the "VPs" of "Microsoft" who studied at "UNSW": site:linkedin.com/in OR site:linkedin.com/pub intitle:"Vice President" AND intitle:"Microsoft" AND ("Education" AND "UNSW")
The dorking possibilities at endless. You simply need to look through profiles and find the markers you are looking for and construct your searches accordingly. There are plenty of great guides out there on advanced google searching such as this one by Aware-Online: https://www.aware-online.com/en/15-useful-google-operators-for-your-investigation/
Emails
Finding email contacts for an organisation can be important for many reasons including creating new vectors to investigate and identifying potential risks to an organisation. There are a number of great resources out there such as:
Or if you are comfortable installing and running Python based tool you can use some great tools such as theHarvester which automate a form of searching across multiple platforms to collect as many emails as possible for a domain: https://github.com/laramies/theHarvester
If you only want to find emails for a company on LinkedIn specifically (which might be important during assessments for any staff who are exposing their email address against company policy for example) you can try the following Google dork:
site:linkedin.com/in OR site:linkedin.com/pub intext:"@microsoft.com"
I suggest adding &num=2000 to the end of the URL bar so you can display a larger number of results on the screen. This would look like this:
Domains
Another important aspect of profiling a corporation is understanding their online presence. Domain enumeration and identification can often identify additional brands, contact information and markets that the organisation is involved in.
A great resource for technical information on a corporations online presence can be found here: https://viewdns.info/
The section we are interested in is the "Reverse Whois" lookup. We will use an email wildcard to identify additional domains registered using a corporate email. E.g.: "*@microsoft.com"
This will return the following results:
This provides a wealth of information in understanding the organisations online presence, when they created certain websites (such as brand launches etc), and who the registrar is.
Additionally, you can pivot on individual emails found above to identify what domains may have been registered using a company email. This can be useful for identifying inappropriate use of corporate emails for bespoke domain registrations which are not associated with an organisation. For example, results for "bill@microsoft.com" provide the following:
Additional data points you can explore at grabbing the IP address of the companies domains you have found and searching those IP addresses to see what domains share the same IP. This does not always equate to the same company due to shared hosting providers, but it is worth exploring and mapping when you reach that stage of your investigation. Tools like Maltego will allow you to do this rapidly.
Additional Company Information
Although LinkedIn is the main topic of this blog it is still only one source of information. It is important to look across other platforms and collect information for analysis. The collection plan mentions a number of sources that very intuitive for getting corporate information on things like shareholders, professional networks and financial information.
Below is a list of some great resources to access:
Financial performance & shareholder structures: https://www.marketscreener.com/
Professional relationships: https://relationshipscience.com/
Open database of information about corporations: https://opencorporates.com/
OCCRP Alpha is an excellent resources for deep information about organisations: https://aleph.occrp.org/
Sentiment analysis: https://brand24.com/ (free trial)
There are thousands of sites that provide differing levels of information, this is only a sample but often its better to have a focused list so you don't get lost in the noise. A lot of these resources also have false-positive or inaccurate information, it is critical that you cross-reference and validate information as much as possible.
Google Dorking for company documents is also recommended and can often provide valuable insights into things such as board meetings, annual general meetings and event attendees. Try some of these and see what you find:
site:microsoft.com filetype:pdf OR filetype:doc OR filetype:docx AND "annual" AND ("general" OR "report" OR "meeting")
Conclusion
Corporate profiling is a requirement for many investigations and research efforts. Doing so without the use of automation tools and staying inline with the platform terms of service means you can create repeatable success in your actions. Of course there are automated tools (commercial and free alike) that can handle a number of these tasks but we focused this blog purposely on manual techniques and a sustainable methodology.
We hope this blog will provide you both an approach and some methods to conducting corporate profiles and feel free to leave feedback on your approaches to corporate profiling.