My First Experience as an OSINT Specialist in Law Enforcement

Introduction

Yesterday, to pass my security blue team OSINT course, I was presented with a challenge: To assist law enforcement find a Person of Interest (POI), a perpetrator of a security breach and other information about this POI.

To do this, I was given just one information; a Twitter handle (sp1ritfyre). That’s tough and crazy! But as an OSINT specialist, that should be substantial enough, if I can effectively use both technical and soft skills, and I did just that.

To start with, here is the other information I was expected to extract about our POI:

That’s quite much, but like I wrote above, my job isn’t to complain about the little information I was given, but to utilize it in connecting dots till I have something substantial to present. Little is enough!

The Game

The first thing I did was to run a Google Dork against the username, and yup, I found quite a handful of search results when I used the ‘inurl username’ keyword. It is ‘inurl sp1ritfyre’

Here is a screenshot of the top search result:

As with every Google search, some of the results were irrelevant to my intent, but I had to check them all to find my information.

From the screenshot, search results 1, 2, 4 and 5 seemed to contain valuable info, with 1 and 2 having the most useful.

Diving into 1, I found a blogger profile bearing some information,

A username, an email address (which could serve as a valuable Personally Identifiable Information-PII), a display picture, which could also help us make better correlations with other data, gender and a hexadecimal value!

I wrote all these down somewhere and continued with the next page on my Search Engine Result Page; A twitter profile bearing the same username as above.

Twitter profile looks good and at the same time doesn't look good.

What do I mean? The structure of the profile and even the bio tells us that such a user has the capacity to carry out such a data breach. Isn’t it? The bad side is that this user is flaunting their unethical behavior. That's some balls!

Now, there is something I didn’t notice immediately, but later caught up with: The use of texts that aren’t in plaintext. I saw it in the Blogger profile, now, I am seeing it again, but here it is in Base64.

That brings us to the next step: decoding the stuff. I used ChatGPT to do my decoding, but before then, I clicked on the link in a sandboxed environment, but Twitter warned me. That’s a sign. Another sign is that it uses the ‘xyz’ tld. Now, this tld isn’t inherently bad, but because it is easily available, it is often used by malicious users to create spamsites. But then, this is too much risk. I had to go back and right click on the Base64 link to copy and decode using ChatGPT.

Here is the screenshot:

Wait, did you notice something? Yeah, ‘redhunt.net’ That URL appeared in our initial search using Google Dork. The dots are beginning to connect isn’t it?

So we proceed.

This is redhunt.net:

There is nothing much here, except for the fact that the image there appears somewhere else; the blogger profile.

But, I have still not gotten much information about our POI. It was at this stage that I decoded the Hex value and that too gave us a site:

It’s another Blogger URL that was actually a main blog.

So, this particular site has a plethora of information. It is the POI’s safehouse, and this is where I got the remaining information.

Firstly, I saw the email, which I cross checked with what I had earlier written down. They matched.

There are three blogs on the site. The third one contained more information about her.

I now know that she is 23, where she works and lots of other information.

I read through everything on that page, scanned through her Github, where I guessed from the location of a contributor to her project that she lives in the UK, but I wasn’t sure yet, and checking from her blog’s profile, I saw more info, and even a face to the name Sam Woods.

So, in a full page, the data of our POI is in my hands:

Submission

It is fascinating! I had to compile everything and get them right, except task 11 which asked for a URL that ties her to the breach.

I couldn’t find any direct URL and the next best thing I found was the URL of the blog page where she revealed that she works with Philman Security Inc. When I checked the organization on Google, they had some cool business with ‘Managed Service Provider’, so I hypothesized that since she works there, that’s her leverage; Insider access.

And this is my first experience with OSINT. It is a very challenging field, I know I’ll encounter more complicated tasks than this in the future. Tasks that will keep me awake for days, but it is also fun, which I love.

Credits to Security Blue Team and Tech Enthusiast who helped suggest SBT’s resource to me.