Security Blue Team: Introduction to OSINT Course Capstone Write-up

5 min readNov 24, 2023

Introduction

The course has given us the basics of how to go about gathering information using open source intelligence. It also provided several tools that we can use to gather OSINT. Now, we need to put our detective skills to the test.

Here is a description of the challenge:

You work for a law enforcement organization, and you have been assigned to track a person-of-interest, that is believed to be associated with a hacking group that recently compromised a Managed Service Provider (MSP) and are trying to sell the stolen credentials on both the clear net and dark web. Another team is focusing on the dark web lead, so you have been tasked with using OSINT sources to build up a profile on the individual and attempt to locate any evidence that links them to the MSP breach and sale of account details. You have been provided with some information to start your investigation. You should use any of the sources or tools taught in this course, that you deem to be applicable and appropriate. We know that the email address used to register the Twitter account is fake, so do not include this in your report.

This is a fictional scenario. Any affiliation between the scenario individual and any real person is strictly coincidental.

Your manager has provided you with the following starting information:

Twitter handle used by actor: @sp1ritfyre

I decided to show how I went about gathering all the information needed for the challenge instead of answering the questions one by one. From this point forward, I will be calling the person we are investigating as our POI (person of interest).

Gathering Information

Googling the twitter handle gives us the following results:

The first two search results look promising. The first one leads to the twitter account of the POI.

The bio says it all. There is a link to a website showing on the POI’s profile. At first glance, the website appears to contain random letters and numbers. However, this is actually a base64 encoded string.

I used CyberChef to decode the string.

Interestingly, the decoded string corresponds to the third entry displayed on the google search results a while back. I looked at the whois record of redhunt.net but I found no useful information. Furthermore, visiting the website itself yielded no useful information. Time to look elsewhere.

I went back to the search results and tried the blogger website.

Two things immediately catch my attention: the “contact me” email address and the location. The contact me information may provide us the POI’s email address. The random letters and numbers showing on the location section is another encoded string.

I clicked on the link indicated under “My blogs” and was redirected to the blog.

I went back to the user profile and clicked the mailto link in the “contact me” section.

Is this the POI’s email address? It is still too early to tell. Nevertheless, I took note of this email address and decided to investigate further.

I decoded the hexadecimal encoded string using CyberChef.

Looks like another blogger site.

I found an email address (d1ved33p@gmail.com) mentioned in the latest blog entry. This is the same email I found in the “contact me” section of the blogger site I visited earlier.

Next, I clicked the “view my complete profile” on the “about me” section of the website.