12 min readJust now

–

In the world of cybersecurity, the best way to learn is by doing a practical. For this challenge, I’ve stepped into the shoes of a Law Enforcement investigator to track a fictional person of interest (POI). The goal isn’t just to find data, but to connect the dots between a social media presence and a real-world security incident — specifically a breach at a Managed Service Provider (MSP).

This walkthrough documents my methodology as I attempt to build a profile from scratch, moving from a single piece of “seed” intelligence to uncovering evidence of malicious behavior.

Findings Summary

Below is the confirmed intelligence profile generated for the client, graded by evidence reliability:

Press enter or click to view image in full size

Press enter or click to view image in full size

📝Introduction to the Walkthrough

The Scenario: Operation SpiritFyre

I have been assigned to track an individual believed to be associated with a hacking group currently selling stolen credentials on the clear and dark web. While other teams are monitoring the dark web, my task is purely OSINT (Open Source Intelligence): use publicly available information to link our subject to the recent MSP compromise.

The Objectives

To successfully close this case, the investigation must achieve three primary goals:

1. Identify all social media accounts or websites used by the target.
2. Build a comprehensive profile of the individual.
3. Locate evidence of malicious behavior related to the sale of stolen account details.

Challenge Resources

My manager provided only one lead to kick off the search:

Twitter Handle: @sp1ritfyre

Download the .txt file to get a focused list of required information. Use it to stay on track and avoid irrelevant details during your investigation. Check the “Tips and Advice” section before starting.

.txt file

Tips and Advice

• Review the SBT-OSINT-Challenge-Report.txt template carefully to focus your investigation and avoid unnecessary searches.
• Do not attempt unauthorized access to password-protected pages; some are in scope and can be accessed legally through proper OSINT methods.
• Check DNS TXT records for hidden text or comments — they may contain useful information.
• Look out for Base64 or Hexadecimal encoded strings; use online tools like CyberChef to decode them.
• Engage with peers on the Discord server (#i2-OSINT), but do not share spoilers

🔍Investigation

PHASE 1: Environment Setup & OPSEC

Press enter or click to view image in full size

Before diving into the hunt for @sp1ritfyre, we need to established a secure and isolated environment to ensure my own privacy and operational security.

• Virtual Machine (VM): I conducted the entire investigation within a Kali Linux VM via VMware Workstation to keep any potentially malicious content isolated from my host system.
• Secure Browser: I utilized the Brave browser in Private/Incognito mode to prevent trackers from linking the investigation to my personal identity.
• VPN (Optional but Recommended): While it may impact network speed, using a VPN adds an extra layer of anonymity by masking our true IP address from the websites we visit.

PHASE 2: Initial Reconnaissance

Press enter or click to view image in full size

We began by searching for the target’s unique handle using a simple but effective Google Dork. By typing **"sp1ritfyre"** in double quotation marks. Using double quotation marks ("") in a search bar is for "phrase searching," which forces Google to find results containing the exact sequence we typed.

The results immediately surfaced several sites. I focused on the top two results first. The top results are often the most authoritative and relevant according to Google’s algorithm, which usually leads us to receive the most relevant data for our investigation.

PHASE 3: Technical Analysis

Press enter or click to view image in full size

We click on the X(Twitter) account first because it’s our first lead. The bio description immediately provides us clues about the target’s technical background and potential affiliations.

Biodata: ‘Sec Researcher Gone Bad _//_ Malware Analysis _//_ C&C Infrastructure’. — These tags match from our scenario of an individual involved in hacking and selling stolen credentials.

Website Link: cmVkaHVudC5uZXQK **— **This website link appears to contain random letters and numbers. However, this is actually a Base64 encoded string.

PHASE 4: Decoding

Press enter or click to view image in full size

Using an online tools name CyberChef, we decode the Base64 string [cmVkaHVudC5uZXQK](https://t.co/M3KiW4ZSbd) reveals the target’s actual web infrastructure.

Decoded Result: redhunt.net

PHASE 5: Link Analysis and Domain Verification

After decoding the obfuscated Twitter link into **redhunt.net**, our next priority was to safely verify the domain before interacting with it.

1. Safety Triage with VirusTotal

Before visiting the target domain in my Kali VM, we need to performed a passive scan using VirusTotal.

Press enter or click to view image in full size

• Methodology: I analyzed the decoded URL (https://t.co/M3KiW4ZSbd) to check for any existing malicious detections by security vendors.
• Findings: The scan returned a “Clean” status from 98 security vendors, indicating the link was not currently flagged for hosting malware or phishing at the time of the investigation.
• Why this matters: Performing this check first is a critical OPSEC step that prevents an investigator from accidentally infecting their machine or tipping off the target through a direct connection.

2. Domain Profiling via WHOIS

With the domain confirmed as “safe” for further passive research, I performed a WHOIS lookup on redhunt.net to identify ownership and infrastructure details.

Online Whois Lookup

Key Findings from WHOIS:

• Registrant Details: The domain uses Domains By Proxy, LLC, a privacy service that masks the owner’s real name and contact information.

Key Dates:

• Registered On: March 14, 2019.
• Expires On: March 14, 2026.
• Registrar: GoDaddy.com, LLC.
• Name Servers: The domain is hosted on AWS (Amazon Route 53) infrastructure.

To maintain operational security and move the investigation forward, the following pivot strategy is established for January 2026:

• Timeline: The 2019 registration date confirms this infrastructure has been active for several years, providing a clear window for historical analysis.
• Pivot Strategy: Since WHOIS privacy masks the registrant’s identity, the investigation will now shift from registry data to content-based OSINT.
• Next Step: We will move from passive recon to active recon by visiting the site [https://redhunt\.net](https://redhunt.net) to collect more information.

Phase 6 Active Reconnaissance & Site Triage

After confirming the domain’s safety ratings, we can moved from passive collection to active interaction. Now I navigated to [https://redhunt\.net](https://redhunt.net) using my isolated Kali VM and Brave browser to inspect the live infrastructure.

1. Infrastructure Security Assessment

Upon loading the page, my browser immediately flagged the site as “Not Secure”.

Press enter or click to view image in full size

• Observation: The site lacks a valid SSL certificate (HTTPS).
• Intelligence Value: In a real-world investigation, this is a significant indicator. Malicious actors often use “disposable” infrastructure for short-term campaigns and may fail to implement proper security certificates. This poor “domain hygiene” suggests the site is likely self-managed rather than a corporate asset.
• Action: Recognizing this as a characteristic of the target’s environment, I bypassed the warning to inspect the site contents, relying on my VM’s isolation for safety.

2. Visual Fingerprinting

Upon accessing the homepage, the site appeared to be a generic travel template “Redhunt”.

Press enter or click to view image in full size

• Observation: The site header features a distinct Red Lightbulb image.
• Analysis: This image is identical to the avatar used on the @sp1ritfyre Twitter account and the Blogger profile. In OSINT, this is known as “cross-platform image correlation,” and it serves as strong visual verification that we are on the correct target infrastructure.

3. Verifying Ownership: Digital Footprint Analysis

Next, we scrolled down to the site’s footer to uncover further details about the infrastructure.

Press enter or click to view image in full size

By analyzing the site’s digital footprint, we found two critical identifiers:

1. Visual Match: The Red Lightbulb avatar matched the social media profiles.
2. Metadata Match: The footer contained the text ‘copyright 2020 sp1ritfyre,’ confirming the Twitter user owns this domain.

Phase 7: Metadata Extraction & Source Code Review

While the visual inspection provided strong indicators, OSINT investigations require definitive proof. To confirm the link between the redhunt.net domain and the @sp1ritfyre persona, we can performed a static analysis of the website’s source code.

Press enter or click to view image in full size

Page source code

1. Methodology

• Action: we can accessed the raw source code by right-clicking the homepage and selecting “View Page Source” (Ctrl+U).
• Objective: To identify hidden metadata, developer comments, or hard-coded strings that might reveal the site’s true administrator.

2. Critical Findings

Scanning the code revealed two massive intelligence leads that were not immediately obvious on the visual front end.

• Finding A: The Copyright “Smoking Gun” Located near the bottom of the document (Footer Section), we found a hard-coded copyright tag that the author failed to sanitize.

Press enter or click to view image in full size

Code Line 559

• Code Snippet: <p class="copyright">copyright 2020 sp1ritfyre</p> Significance: This is irrefutable proof of attribution. Unlike the generic "Redhunt" branding on the page, this hidden footer explicitly names sp1ritfyre as the copyright holder. This connects the domain directly to the Twitter and Blogger accounts we identified in Phase 1.
• Finding B: Image Metadata Correlation I also examined the meta tags used for social media previews (Open Graph and Twitter Cards).

Code Snippet:

Press enter or click to view image in full size

Code Line 22

*<meta name="twitter:image" content="https://redhunt.net/wp-content/uploads/2020/03/lightbulb-*1024x678.jpg"/>

The combination of the specific username (sp1ritfyre) and the timeline match (2020) within the source code allows us to confirm the Self-Owned Website.

PHASE 8: Discovering the Blog & Hidden Location Data

When the technical infrastructure of redhunt.net was a dead end, we need to pivoted back to my initial Google search results. In OSINT, if one path is blocked, we must re-examine our "seed" data for overlooked connections. Go back to search results “sp1ritfyre”.

1. Identifying the Secondary Lead: Blogger.com

While the Twitter account was our primary focus, our initial search for “sp1ritfyre” also surfaced a profile on Blogger.com** **providing a new source for profile intelligence.

Sp1ritFyre Blogger

The Blogger profile immediately yielded high-value information that helped narrow down the target’s identity:

• Gender: The “About me” section explicitly identifies the user as Female.
• Profile Tenure: The account has been active since March 2020, suggesting a long-standing digital presence for this persona.
• **Location: **68747470733a2f2f73616m6m6965776f6f647365632e626c6f6773706f742e636f6d2f
• Views: 33,323 profile views.

2. Profile verification

The profile used the exact same username and avatar (profile picture) as the Twitter account, confirming this was the same individual.

Twitter Posting

3. Pivoting to Contact Details

Click on ‘Contact Me’. Unlike the limited visibility on Twitter, the Blogger “Contact Me” section revealed a critical piece of identity intelligence: a potential personal email address.

Potential Personal Email

Email display:**d1ved33p@gmail.com**.

4. Decoding the Obfuscated Location

The most suspicious finding on the page was the Location field. Instead of a standard geographical location, it contained a long string of Hexadecimal characters:

Hex String: 68747470733a2f2f73616m6m6965776f6f647365632e626c6f6773706f742e636f6d2f

Using CyberChef to perform a “From Hex” conversion, I discovered that this was not a physical address, but a hidden URL to a more detailed personal blog:

Decoded URL: [https://sammiewoodsec\.blogspot\.com/](https://sammiewoodsec.blogspot.com/)

5. Link Validation & OPSEC

Before visiting the decoded URL ([https://sammiewoodsec\.blogspot\.com/](https://sammiewoodsec.blogspot.com/)), we need to conducted a passive analysis to ensure the site was safe to interact with.

Press enter or click to view image in full size

Blogspot Url VirusTotal

Using VirusTotal submit the URL to check for any detections from the 70+ antivirus engines and website scanners aggregated by the platform.

Result: The scan returned a “Clean” status from 97 security vendors.

Phase 9: Deep Content Analysis & Evidence Gathering

At this stage, we have successfully moved from technical infrastructure to the target’s “inner circle” of information.

Since we have already performed our Safety Triage with VirusTotal and verified that [sammiewoodsec\.blogspot\.com](https://sammiewoodsec.blogspot.com/) is safe to visit , we can now use this secondary blog to fulfill our final investigation objectives.

Press enter or click to view image in full size

SammieWoods Blogger

This phase focuses on extracting the final “Human Intelligence” (HUMINT) needed to complete the target profile and link the individual to the MSP breach.

1. Unmasking the Identity

By analyzing the “About Me” sidebar and the blog posts, we can finally retrieve the primary identity markers required by management:

Full Name and Face: The profile explicitly identifies the user as Sammie Woods.

About SammieWoods

Email Confirmation: She re-confirms her personal email address as **d1ved33p@gmail.com** directly in her latest post.

Full Persona Unmasked: The profile provides the detailed personal and professional data required to satisfy our investigation’s objective.

Click on View my complete profile on About Me sections.

Press enter or click to view image in full size

About SammieWoodsFull Blog profiles

By clicking “View my complete profile” on the secondary blog, We successfully built a comprehensive profile of the individual behind the @sp1ritfyre alias:

• Name: Sammie Woods.
• Gender: Female.
• Industry: Technology
• Location: Reading, United Kingdom.
• Occupation: Junior Penetration Tester.
• Interests: Security, Programming, Technology, Gaming, Photography, and Camping.
• Favorite movies: Ready Player One 2018.
• Favorite music: The Beatles, Rolling Stones, Queen.
• Favorite books: The Hunger Games series.
• Profile views: 22,864 people.
• On Blogger since: June 2019

Professional Background: Her role in the technology industry provides the high-level technical skill required to execute the MSP breach.

2. Identifying Professional Affiliations

To complete the professional profile, we must look for her link to the corporate world. Look for blog archive on her blog.

On June 2019, there’s a blog she create. The title is ‘**How I got into Cyber Security’. **Click that blog archive. We will see more details about her corporate world.

Press enter or click to view image in full size

The blog post revealed a detailed timeline of her transition from a student to a technical professional:

• Name: Sam
• Age: 23
• Education: Studied ICT in college before earning a 1st-class degree in Cyber Security and Forensics from the University of Plymouth.
• Current Employer: PhilmanSecurityInc.
• Role: Junior Pen tester.
• Colleagues/Mentors: Mentions Zach and Dave as mentors at her firm.

📬Challenge Submission

1. [1] What is the hacker’s first name?

Sam

2. [2] What is the hacker’s last name?

Woods

3. [3] What is the hacker’s age?

23

4. [4] What country does the hacker live in?

United Kingdom

5. [5] What are some of the hacker’s interests? (choose 5)

Security, Gaming, Photography, Malware analysis and Camping

6. [6] What company does the hacker work for?

PhilmanSecurityInc

7. [7] What is the hacker’s position within the company?

Junior Pen tester

8. [8] What is the full url of the website owned by the hacker?

https://redhunt.net

9. [9] List any full URLs of websites not owned, but used by the hacker (Blogs only)

https://sammiewoodsec.blogspot.com/https://sp1ritfyrehackerstories.blogspot.com/

10. [10] What email address has been used by the hacker?

d1ved33p@gmail.com

Press enter or click to view image in full size

🎉Congratulations, you have finish this Security Blue Team Introduction to OSINT.

Conclusion

This investigation successfully demonstrated the power of the OSINT Intelligence Cycle. Starting with a single “seed” lead the Twitter handle @sp1ritfyre we were able to pivot across multiple platforms to build a comprehensive target profile.

By decoding obfuscated data (Base64 and Hexadecimal strings) and performing deep technical analysis on website source code, we moved beyond surface-level information to uncover the subject’s self-owned infrastructure. The final discovery of the secondary blog, sammiewoodsec, acted as the "smoking gun," allowing us to stitch the digital persona @sp1ritfyre to the real-world identity of Sammie Woods.

This case reinforces that even privacy-conscious actors often leave digital breadcrumbs whether through reused avatars, forgotten metadata in source code, or personal details shared in “professional” blogs.