Cyber Investigations for Beginners Part 1 | Hunting Indicators With EZgmail

Step .5) Define the investigation scope.

Before getting started with any investigation, the scope needs to be defined. This will keep the investigation focused, and once my objectives are met, I can re-evaluate and update my objectives accordingly. For the purpose of this article, I want to know more about the spam campaign targeting me (who are the spammers, what is their goal) and any important information about them that would allow me to add them to a block list.

Keto is great, but not THAT great…

Step 1) Set up the Jupyter notebook and install/import EZgmail. Run this cell and ensure you are logged in.

Step 2) Search for suspicious emails in your inbox.

The search string is where you can define parameters for the messages you’re looking to investigate. In this case, we know the “name” of the sender is “KetoFuel” and it is in my spam inbox.

Step 3) View the results.

We know we are dealing with two messages, but this output isn’t helpful.

Step 4) Grab the sender’s information and the message body.

The sender’s email addresses. Note that they aren’t using a common email provider (hotmail, *.edu, etc.)
Both messages were the same, so I only included one to save space. Interesting that it’s in French….

Step 4) Pull MIME content.

Multipurpose Internet Mail Extensions (MIME) content allows emails to contain a ton of dynamic content, and can let them function almost like web pages. Let’s try extracting some and see what happens. To extract this, I will adapt part of a spam grabbing script I wrote for a research project.

ah ha! More interesting content!
Non- Pinterest URLs

Coming up in Part 2: It’s Pivoting Time!

In the next installation in this series, I will begin a deeper analysis starting with the pivot points identified above.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Ryan Foote

Ryan Foote

@IntelCorgi | Cybers threat intelligence analyst and independent researcher with an interest in malware and OSINT. Opinions are NOT that of employer.