4 min readJust now
–
Clear Web OSINT Investigation — Course Capstone
Course Link: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-osint
I performed a clear web investigation into a fictional person suspected of being involved in an MSP data breach and the sale of stolen credentials as part of the Introduction to OSINT course. I was a member of the clear web investigation team in this scenario, concentrating solely on publicly available information and OSINT techniques; no unauthorized access attempts were made, and all conclusions are based on open sources.
beginning point and information that is known
I began the inquiry with just one verified…
4 min readJust now
–
Clear Web OSINT Investigation — Course Capstone
Course Link: https://elearning.securityblue.team/home/courses/free-courses/introduction-to-osint
I performed a clear web investigation into a fictional person suspected of being involved in an MSP data breach and the sale of stolen credentials as part of the Introduction to OSINT course. I was a member of the clear web investigation team in this scenario, concentrating solely on publicly available information and OSINT techniques; no unauthorized access attempts were made, and all conclusions are based on open sources.
beginning point and information that is known
I began the inquiry with just one verified piece of information:
**@sp1ritfyre **on Twitter
Press enter or click to view image in full size
In order to broaden the inquiry and find more internet presence, personal information, and possible connections to malicious activities, this handle served as the main pivot. From reviewing the profile, tweets, and interactions, I noticed link and it was base 64 encoded this confirmed that the handle was likely used as a central identity rather than a throwaway account.
Press enter or click to view image in full size
This is** base64 **but save this for later.
Using username reuse techniques, I searched for the alias sp1ritfyre and related name variations across blogging platforms.
This led me to discover two Blogger websites:
Both blogs contained security-related content, personal reflections, and technical write-ups. The writing style and themes were consistent across both sites, indicating they were operated by the same individual.
From the blog content and associated Blogger profiles, I was able to extract personal details that helped build a profile of the individual.
Press enter or click to view image in full size
By reviewing I identified multiple personal interests:
- Security
- Programming
- Technology
- Gaming
- Photography
- Camping
Press enter or click to view image in full size
The location is hex encoded so I decoded it and I reached link to blog
Press enter or click to view image in full size
Press enter or click to view image in full size
Press enter or click to view image in full size
I identified email address associated with the individual: d1ved33p@gmail.com
Press enter or click to view image in full size
I discovered the blog that show the person is employed at:
Organization: PhilmanSecurity Inc.
Job title: Junior Penetration Tester
The technical expertise displayed in the blogs and social media engagement is consistent with this function.
Also I was curious to check the image and using TinEye I got result and this image is also fake
Press enter or click to view image in full size
Based on multiple open references, I identified the subject as:
First Name: Sam, Last Name: Woods, Age: 23, Country: United Kingdom
And the Blogger profile pages further reinforced this attribution:
https://www.blogger.com/profile/08313689826885886832
https://www.blogger.com/profile/16540060306570410038
Both profiles were linked back to the same blogs and writing style.
I then pivoted to identifying any self-owned domains I started with decoding the base 64 we found in twitter account the use of encoding suggests an attempt to hide or casually obscure links, which is a common behavior in underground or semi-private communities.
This led me to the website https://redhunt.net/ this website contain the same image I found at twitter account
Press enter or click to view image in full size
Then I checked on virus total, urlscan and domain dossier to ensure that it is owed by the same person.
Press enter or click to view image in full size
I identified another email the GoDaddy abuse email: abuse@godaddy.com was referenced in relation to domain or hosting interactions.
Summary of Required Information Collected
First Name: Sam
**Last Name: **Woods
**Age: **23
**Country: **United Kingdom
Interests: Security, Programming, Technology, Gaming, Photography, Camping
**Employer: **PhilmanSecurityInc
**Position: **Junior Penetration Tester
**Self-Owned Website: **https://redhunt.net/
**Other Websites: **https://sammiewoodsec.blogspot.com/ , https://sp1ritfyrehackerstories.blogspot.com/
**MSP Breach Link: **https://www.redhunt.net
**Email Addresses: **d1ved33p@gmail.com , abuse@godaddy.com
And finally I was able to use the methods I learned during the course in an organized inquiry thanks to this OSINT challenge. I was able to found the subject’s internet profile, created a dependable profile and gathered open-source markers of possibly harmful activity
This challenge illustrated how OSINT can be utilized in an ethical and legal manner to assist investigations.
I appreciate the challenge and the opportunity to learn during the course.
Now that I’ve finished the Introduction to OSINT course, this capstone has strengthened my grasp of acceptable OSINT techniques as well as my investigative methodology.
Thank You For Your Time Wishing This Is Helpful :)