Chapter 2 == "Information Collection"─[The Story Begins Here]

Information Gathering: Learning Without Being Seen:

Information gathering is not attacking a system. It is not about forcing a door open.

Information gathering is about learning a lot about a target without doing anything to it. But there is a critical distinction here: Passive Information Gathering: It is discovery without touching the target.

• You look at websites.
• -You examine open sources.
• -You read the traces You read them.

The target does not notice you. Because you are not there. Active Information Gathering, however: Now it's your turn to take the stage.

• You make a request.
• -You establish a connection.
• -A system responds to you.

At this point, you begin to leave your mark. Being active is not wrong. But not knowing when to be active is wrong. A good cybersecurity professional knows this: You learn in the shadows first. You step into the light last. That's why the story begins with Passive Information Gathering.

1)PASSIVE INFORMATION GATHERING

Some doors aren't knocked on because when they are, those inside notice you. Passive information gathering is exactly that: learning about something without ever making contact with the target. Quietly. Without leaving a trace. Without anyone even realizing you're there. At this stage, no one sees you. Because you are not yet a threat. You are just a shadow watching.

Passive information gathering is the beginning of understanding, not of an attack. You try to understand how a system, a person, or a structure appears from the outside. You're at the door, but you don't knock.

Think about it in real life: You don't have to go inside to get to know a building. You look at the sign. You observe the opening and closing hours. You see who comes and goes, what times are busy, who acts like they belong. You learn a lot without doing anything. The same applies online. The streets are digital, the signs are different, but people are the same. And people leave traces without realizing it.

Passive information gathering is about collecting these traces. It's about noticing the crumbs left behind in search engines, the open records, the shared but unthought-of details. There is no speed here. There is no show of strength here. Only patience and attention exist.

And an important truth: Being passive does not mean being innocent. That is why this stage is where ethical boundaries first become clear. You must know not what you are looking at, but why you are looking at it. Because for a good cybersecurity professional, the real danger is not ignorance…

It is to underestimate knowledge. In the next step, the traces begin to solidify. The story deepens and silence gives way to patterns.

2) DOMAIN, IP, DNS…

Nothing on the internet exists by name alone. Everything has a number. We love names. Machines love numbers.

When you enter a website, you type a name: example.com (domain)

But behind the scenes, no one cares about that name. Systems only recognize IP addresses. An IP (Internet Protocol Address) is a digital address for a location. Think of it like a house. The street, number, and location are clear. And if someone knows that address, they can reach it.

A domain name is like a sign. It is intended for people. To make it memorable. But when you remove the sign, the building is still there. This is where DNS comes into play.

DNS (Domain Name Server) acts as a translator between the sign and the address. You say, "I want this name." DNS whispers to you, "The address is this." This process is so fast you don't even notice it. But every speed leaves a trace.

Passive data collection really kicks in at this point. Because you haven't even reached the door yet; you've just looked at the signs.

A domain tells you a lot: How long it's been around, Who registered it, What infrastructure it uses, And sometimes even how carelessly it was set up…

An IP address tells you even more: Which country it is in, Which server it belongs to, Who else is in the same location…

DNS, on the other hand, reveals the architecture of the structure: Subdomains, Forgotten services, Doors left open without a second thought…

None of these are "hacks." They are already out in the open. Most people just don't look.

And the critical point is this: The weakest point in a system is often not complex code, but hastily built fundamental building blocks. Domain, IP, DNS… They're often described as long and tedious concepts. But in reality, they are the lights behind the scenes of a story. If you hold the light at the right angle, the shadows become clear.

At the next step, even search engines won't be enough. We begin to look at the unseen side of the internet. And that is a place most people aren't even aware exists.

3) THE UNSEEN SIDE OF THE INTERNET: "Search engines don't work the way you think they do."

The internet isn't as chaotic as you think. The real chaos is what isn't shown to you. Every day, you type words into a search bar. You get answers. And you might think that's the "internet." But what you see is merely a filtered showcase.

Search engines don't lie to you. But they don't tell you everything either. Because their job isn't to show you the truth, but to show you where they want you to look. If you can't find a site, it's often not because it doesn't exist, but because it's not being shown to you.

In this section, we won't be talking about dark web, illegal activities, or hidden portals. There's no need for that. Because the Internet's hidden side is already within the places you use every day. And sometimes all it takes is asking the right question.

3.1) Google Dorking: "As the search engine's mask slips" :

Google is much more powerful than you think. But you always use it in its weakest form. Most people think of Google as a question-andanswer machine. But Google is an "archiver." And archives exist not to store, but to find.

Google dorking is not a hacking technique. It doesn't break a lock. It doesn't climb a wall. It just teaches you to look at the door that's already open. You don't search for a site, you search for something within a site. You target the file type, not the file itself. And you realize that people haven't really thought about who can see the things they put on the internet. At this point, the issue is not technical knowledge.

The real issue is this: people only hide things they think others don't know how to look for. Google is just a tool here. Neither good nor bad. What's been exposed isn't Google, but carelessness on the internet. And this is one of the quietest starting points for information gathering.

Google Dorking Examples:

Cyberintitle:(whatever you type)

Cyber site: Example.com related: example.com

cache: example.com … More examples can be given.

But the things Google finds are not always live pages. Some of them are no longer there. But they can still be found. Because the internet doesn't just store what you see, it also stores what it remembers you've seen.

3.2) Traces of Time: "Cache, Index, and What the Internet Doesn't Forget" :

The internet is not a place that "lives in the moment" as you might think. When something is deleted, it doesn't disappear. It's just hidden from view. When you close a page, delete a post, or take a site offline…

the internet takes note. And sometimes it remembers better than you do.

Cache: Where time stands still:

Browsers and search engines store copies of pages to speed up access. This is called cache. But cache isn't just for speed.

• It stores the old version of a deleted page,
• -The previous version of modified content,
• -a site that has been taken down Sometimes it still keeps them there. Like a moment frozen in time.

You say "it's gone now," and the internet replies, "it once existed."

Index: the invisible catalog:

Search engines don't browse the internet. They catalog it. Every page, every title, every link is written into an index. This index is the internet's back book. Even if a page is deleted:

• When it existed
• -What was it about
• -Where it was linked to This information sometimes remains as a trace.

You don't see it, but it's there. What does the Internet never forget? People want to forget. The internet is designed to remember.

• A shared photo
• -A file left open
• -A misconfigured website
• -A hastily sent message

These are traces. And cybersecurity is sometimes not about "hacking," but about noticing things that have been forgotten. Most people think they've been attacked. In reality, they're just facing the traces they left behind. Cybersecurity is about creating this awareness:

• Realizing what you've left behind
• -Understanding when you left them
• -And realizing that it could come back to haunt you one day And if there is a trace, there is someone who can see it.

3.3) Metadata: "Things files don't tell you":

When you open a file, you see its contents. But a file is not just what's inside it. Every file silently carries its own story. It doesn't tell you its name. But it whispers its past.

What is metadata? (Not the classic definition):

Metadata is the background of a file.

• When was it created?
• -Who created it
• -On which device was it edited
• -Which software was used to record it?

These are details the file doesn't show you. But they are still there for the system. A document is not just a document. A photo is not just an image. Each one is a carrier of traces.

What does a photo tell you? When you look at a photograph:

• you see the light
• -you see the frame
• -You see the memory

But metadata asks:

• Where was it taken?
• -When?
• -With what device?
• -Is it original or edited?

And sometimes, it reveals things the photo never intended to tell.

Documents speak (whether they want to or not) A PDF file:

• Can hide the author's name
• -It can reveal the company name A Word document
• -Who has previously accessed it
• -Which versions it has gone through
• -Which systems it was opened on These are not intentional.

Most of the time, it's just forgetfulness. Metadata is insignificant to most people. But in cybersecurity, nothing is insignificant.

When sharing a file: You say, "The content is already clean." But you don't check its history. And that's exactly where information leaks. Information gives itself away. Most breaches:

• don't happen with complex exploits
• -Not with high-level hackers

It's a document. It's a photo. It happens with a "what could this be?" moment. Cybersecurity requires listening to what files hide, not what they say. We now know this:

• The internet never forgets
• -Search engines leave traces
• -Files speak silently And we still haven't touched anyone.

We haven't knocked on the door yet. We just looked. We listened. We read. In the next step, information is no longer just found. It is "combined." And the story becomes even clearer.

4) WHOIS, SHODAN, WAPPALYZER Tools don't talk, you listen.

By this point, you should have realized: Information on the internet is not hidden. It's just scattered. And everything that is scattered gains meaning for those who know how to piece it together.

Whois, Shodan, Wappalyzer are often described as "tools" in many places. But they are not tools; they are lenses. They bring things closer. They clarify. But you choose what you look at.

WHOIS — "The identity of a domain name":

When you see a domain, you don't just see a name. When you look up WHOIS, you ask: "Who owns this?" WHOIS sometimes tells you very little. Sometimes it tells you too much.

• When it was registered
• -How long it has been around
• -Which company it is associated with
• -Sometimes other domains registered by the same person.

This information alone is not an attack. But the time information is very valuable. Is it a newly acquired domain? Or is it a domain name that has been inactive for years but has not been updated? People rush. Systems leave traces.

WAPPALYZER — "The structure beneath the mask":

When you look at a site, you see the design. Wappalyzer looks at the underlying infrastructure.

• Which web server
• -Which framework
• -Which content management system

This is not a "vulnerability list." This is a "habit map". Because most systems:

• Is set up with default settings
• -Are rushed into production
• -Then forgotten

Wappalyzer tells you: "How was this architecture designed?" And sometimes, how it wasn't.

SHODAN — "The Back Alleys of the Internet":

Google gives you what people want to see. Shodan shows you what systems are shouting. Shodan doesn't look at websites. It looks at devices.

• Open servers
• -Cameras -Panels
• -Forgotten services

Most of these are not intentionally left open. They are simply not closed. Shodan's real power is this: It allows you to see the internet not as a storefront, but as an infrastructure map. And once you see this, the concept of "hiding on the internet" takes on a whole new meaning.

A critical point: WHOIS tells you about "time." Wappalyzer tells you about the "structure." Shodan tells you about the "environment." None of them mean anything on their own. But together… That's when the systems start talking.

And you still haven't knocked on the door. You still haven't entered. You've only looked around. But now you know this: Some doors are already left ajar. In the next step, the human factor comes into play. And the quietest traces are usually left there.

5) THE SILENT SIDE OF SOCIAL ENGINEERING "I didn't hack companies, I hacked people" — Kevin Mitnick

Most security systems are designed to protect against machines. But most attacks don't start with machines. They start with people. Social engineering is not the art of persuasion. It is not manipulation. It is the physics of human behavior. If you know what a person is accustomed to, you also know what they are vulnerable to.

And the disturbing part is this: These vulnerabilities are not unique, nor are they hidden. They are right there in plain sight. Silent social engineering doesn't speak. It doesn't lie, it doesn't act. It just observes. Who takes what seriously? Who doesn't question anything? Who has labeled certain things as "already safe"?

This person's:

-Email writing style

-Manner of address

-Hasty reactions

-Their "nothing will happen to me" confidence

All of these are system configurations. And most of the time, they are the default settings.

"A Short Story":

None of the company's systems had crashed. The firewall was working. The servers were up to date. The logs were clean. But one day, an employee realized they had opened a file they didn't remember opening. The file wasn't malicious, it was just… That wasn't the problem anyway. The problem was why the file seemed normal to him. No one taught him anything, no one tricked him, no one forced him. He simply encountered something he was accustomed to. And the door opened. The following sentence was later added to the report: "No technical vulnerability was found." But everyone knew: the vulnerability wasn't technical to begin with.

"The silent truth of social engineering": People are not security walls. People grant permission if it "makes sense."

And what is "logical" is the most dangerous thing. That's why social engineering is the darkest form of attack. Because the victim often doesn't even realize what's happening. Here, power lies not in intelligence, not in speed, "Patience."

A keen eye:

• Doesn't draw attention
• -Doesn't rush
• -Leaves no trace

Because the biggest vulnerability in the human factor is not curiosity, but routine. And that's why social engineering is not a continuation of technical knowledge; it is a separate discipline that puts people at the center.

In the next step, this silence is broken. Traces are no longer just in behavior; they begin to become clear in the digital footprints you leave behind every day. And there, what you think you are is not the same as what you actually see. At the end of the day, you realize that no one let you in — you opened the door yourself.

It is important to know: When a system crashes, an alarm sounds; when a person crashes, no one notices.

6) TRACKING IN THE DARK (OSINT)

Tracking in the dark is not about searching for the invisible. On the contrary, it is about noticing the traces that everyone passes by. OSINT is often described as "information gathering." But what it actually does is piece together the fragments that have been quietly left behind. People leave traces because being human requires it. They share, search, record, and then forget. OSINT deals with the forgotten things.

Think of a photograph, a frame. But within that frame is a clock. A shadow, a wall color, a window reflection. Some look at the photo. Others see the time, the place, and the habit. Think of a username. You might think it was chosen randomly. Yet it often carries an obsession, a year, a recurring identity. People change. Usernames rarely do. Think of a comment. Seemingly insignificant, but look at the time. On which day was it written? When was it deleted? In OSINT, information doesn't shout; it whispers. And you shouldn't rush to hear that whisper. There are no attacks, no coercion, no breaking down doors in this section. Just looking. Because some stories tell themselves even when you do nothing. As long as you know how to listen.

6.1) What is a Trace?:

A trace isn't created when you do something; it's created when you're somewhere. Most people think leaving a trace means sharing something. Uploading a photo, writing a comment, adding a location… But a trace doesn't ask for intent. You enter a site, read a headline, leave a video halfway through, search for something but don't click… None of these are sharing. But they are all traces.

People generally think: "I didn't write anything," "I didn't share anything," "I'm private." OSINT starts right here. Because leaving a trace is not a choice, it's a side effect of existing. There are two types of traces in the digital world. Some are left intentionally. Photos, posts, comments. These are called active traces. But the real story lies hidden where no one notices: times, repetitive behaviors, silent preferences, pages revisited. These are passive traces. And passive traces are far more honest than active ones.

People embellish their active traces, add filters, choose their words, and curate themselves. But passive traces are unmasked. They reveal not who you are, but what kind of person you are. Are you active at night? Which days do you disappear? Do you return to the same types of content? Do you search for the same words? These questions aren't asked. They are observed.

OSINT isn't about tracking traces; it's about accepting that the traces are already there. When a person says, "I don't leave traces," they usually mean: "No one is watching me." But not being watched doesn't mean you're not seen. It just means you haven't been noticed yet.

OSINT is not after secret information. OSINT is concerned with things that are out in the open but overlooked. Tracking is not wandering in the dark. It is slowing down and remembering to look at the ground.

6.2) Human habits don't lie.:

People tell lies. They change their profile, they fix their story. But they rarely question their habits. This is precisely where OSINT's greatest strength lies. It's not about what you share, but how you repeat it. The same username, different platforms, the same word choices, posts made at the same times.

A person says, "This is who I am." Their habits whisper, "This is who I really am." Messages sent at night create a rhythm. Weekend silences reveal a pattern. The hours when an account is active show the gaps in that person's life where they turn to the internet.

Most people think they choose their username randomly, and sometimes they really do, but generally:

• There is a name.
• -There is a year.
• -An obsession.
• -A repetition.
• -Sometimes an unresolved period.

People change. But digital habits linger behind like an old trace. And that's precisely why OSINT requires patience. Because here, it's not speed that wins, but pattern.

6.3) The unseen details:

You look at a photo, you see a person. OSINT looks and asks: Where is the light coming from? Which way is the shadow turning? Is the color of the wall familiar? Does the window reflection reveal anything? Information is often not in the center, but in the corners. It lies outside the frame.

Think of a screenshot. The clock is left open in the corner, the notification bar is visible. The language setting is different.

Think of a file. Its content is innocent, but its name, creation time, and modification time tell a completely different story.

People pay attention when creating content, not when leaving details behind. And the ironic part is this: It's not the things people try to hide, but the seemingly insignificant details that speak the loudest. In OSINT, information doesn't shout; details whisper.

6.4) When the pieces start to speak:

No single piece is meaningful on its own. A username is ordinary; a photo is insignificant; a comment is fleeting. But when the pieces come together, the silence is broken. The magic of OSINT begins here, in the assembly. A timeline emerges, habits align, details corroborate each other.

And at some point, you realize: No one told you anything, no one questioned you, no doors were forced open.

But the story is there, on its own. That's why OSINT isn't an attack; it's a way of reading. And when this reading is done, you now know: where you stand, what matters, which door truly exists.

But you haven't entered yet. Looking isn't enough in the next step. Now there's a map, and with a map, "exploration" begins. I hope you now recognize the traces, read the patterns, and piece things together. Now the question changes: Not "What's there?" but Where should I look? And here, silence gives way to measured movement.