AntiPhishers Phishing Forensics and Investigation Guide
Phishing Forensics and Investigation Guide
When a phishing attack succeeds, forensic investigation determines the scope of compromise, the attacker’s methods, and the data at risk. Effective forensics also produces indicators of compromise (IOCs) that protect the rest of the organization and the broader community. NIST SP 800-86 (Guide to Integrating Forensic Techniques into Incident Response) and NIST SP 800-61r3 provide the frameworks for this work.
The Forensic Investigation Workflow
Phishing forensics follows a structured workflow that preserves evidence integrity while working under time pressure.
Phase 1: Evidence Preservation
Before analyzing anything, preserve the evidence chain:
Email evidence:
- Save the complete phishing email in its original format (.eml or .msg), including full headers
- Take screenshots showing the email as it appeared to the recipient
- Document the timestamp and recipient list
- Export the email from the mail server (not from the client) to ensure complete headers
Endpoint evidence:
- Capture memory from affected systems before rebooting
- Image the disk of compromised endpoints
- Collect browser history, download logs, and cached pages
- Export relevant Windows Event Logs or macOS Unified Logs
Network evidence:
- Capture DNS query logs showing the phishing domain resolution
- Collect web proxy logs for the phishing URL
- Pull firewall logs for any C2 communication
- Export SIEM alerts related to the incident timeline
Chain of custody: Document who collected what evidence, when, and how it was stored. This matters if the investigation leads to legal proceedings.
Phase 2: Email Analysis
Start with the phishing email itself. Use email header analysis as the foundation, then go deeper.
Header analysis:
- Trace the Received headers to identify the originating mail server
- Check SPF, DKIM, and DMARC results in Authentication-Results
- Identify the sending infrastructure (IP addresses, server software)
- Check the X-Mailer header for campaign tool identification
Content analysis:
- Extract all URLs from the message body and HTML source
- Identify tracking pixels and unique identifiers
- Analyze attachment metadata (author, creation date, tool used)
- Compare message language against known phishing kit templates
Infrastructure analysis:
- WHOIS lookup on the sender domain — registration date, registrant, name servers
- DNS records for the phishing domain — IP, MX, TXT records
- Passive DNS to find other domains on the same IP
- Certificate transparency logs for the phishing domain
Phase 3: URL and Website Analysis
Analyze the phishing URL and destination page in a sandboxed environment:
Static analysis:
- Inspect the URL structure for typosquatting and suspicious patterns
- Check WHOIS and DNS for the phishing domain
- Search threat intelligence databases (VirusTotal, URLhaus, PhishTank)
- Check certificate details via certificate transparency logs
Dynamic analysis (sandbox):
- Submit the URL to a sandbox (URLScan.io, Any.Run, Joe Sandbox)
- Capture the phishing page screenshot and source code
- Identify what data the form collects (credentials, MFA codes, personal information)
- Look for JavaScript that fingerprints the visitor or evades analysis
- Check for redirect chains that the initial URL passes through
- Identify the backend server receiving stolen data
Phase 4: Scope Assessment
Determine how far the attack reached:
- Email search: Query mail logs for the same sender, subject, URLs, or attachment hashes across all mailboxes
- Click analysis: Review web proxy logs for employees who visited the phishing URL
- Credential check: Identify users who entered credentials on the phishing page (check authentication logs for logins from suspicious IP addresses after the phishing window)
- Lateral movement: Search for signs that compromised accounts were used for internal phishing or data access
- Data access audit: Review what data compromised accounts accessed post-compromise
Phase 5: Attribution and Intelligence
While full attribution of phishing campaigns to specific threat actors is often impossible, useful intelligence includes:
- Phishing kit identification: Many phishing kits leave distinctive artifacts (specific file names, directory structures, comments in HTML)
- Infrastructure clustering: Use passive DNS to identify other domains in the same campaign
- Behavioral patterns: Attack timing, target selection, and exfiltration methods can match known threat actor profiles
- IOC extraction: Produce a structured list of indicators (domains, IPs, URLs, email addresses, file hashes) for sharing
Essential Forensic Tools
| Tool | Purpose | Cost |
|---|---|---|
| VirusTotal | Multi-engine scanning of URLs, files, IPs | Free (limited) / Paid |
| URLScan.io | Website rendering and analysis in sandbox | Free |
| WHOIS/DIG | Domain registration and DNS investigation | Free |
| Wireshark | Network traffic analysis | Free |
| Autopsy | Disk forensics for endpoint analysis | Free |
| Volatility | Memory forensics | Free |
| TheHive | Incident response and case management | Free (open source) |
| MISP | Threat intelligence sharing and IOC management | Free (open source) |
Reporting Forensic Findings
Internal Report
Document findings for your incident response team and leadership:
- Executive summary (attack type, scope, impact)
- Timeline of events
- Technical analysis details
- Indicators of compromise
- Recommendations for prevention
External Reporting
Share IOCs and findings with:
- FBI IC3 for law enforcement action
- CISA for infrastructure-targeting attacks
- ISPs and hosting providers for takedown
- Industry ISACs for sector-specific intelligence
- MISP or other threat intelligence sharing platforms
Preserving Evidence for Legal Action
If the investigation may lead to legal proceedings (criminal prosecution, civil litigation, regulatory enforcement):
- Maintain strict chain of custody documentation
- Use write-blockers when imaging disks
- Hash all evidence files (SHA-256) at collection time
- Store evidence in tamper-evident containers
- Engage legal counsel before sharing forensic findings externally
Key Takeaways
- Preserve evidence before analyzing — email headers, endpoint images, and network logs form the evidence chain
- Start with email header and infrastructure analysis, then assess organizational scope
- Sandbox analysis of phishing URLs reveals data collection methods and backend infrastructure
- Extract IOCs (domains, IPs, hashes) to protect the rest of your organization and share with the community
- Document findings for both technical teams and leadership, with separate reports for each audience
- Maintain chain of custody if legal proceedings are possible
For the complete phishing defense framework, see our phishing recognition and reporting guide.
Sources
- NIST SP 800-86: Guide to Integrating Forensic Techniques into Incident Response
- NIST SP 800-61 Rev. 3: Incident Response Recommendations
- CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
Security education disclaimer: This article describes forensic investigation techniques for authorized defensive purposes only. Forensic investigations should be conducted by qualified professionals with appropriate authorization. Do not use these techniques for unauthorized access to others’ systems or communications.