https://doi.org/10.2352/EI.2024.36.3.

MOBMU-328
© 2024, Society for Imaging Science and Technology

OSINT-Based Email Investigation

Samrudha Mhatre1 , Franziska Schwarz 1, Klaus Schwarz 1,3 , Reiner Creutzburg 1,2

1 SRHBerlin University of Applied Sciences, Berlin School of Technology, Ernst-Reuter-Platz 10, D-10587 Berlin, Germany
Email: [email protected], [email protected], [email protected], [email protected]

2 Technische Hochschule Brandenburg, Department of Informatics and Media, IT- and Media Forensics Lab, Magdeburger
Str. 50, D-14770 Brandenburg, Germany, Email: [email protected]

3 University of Granada, Faculty of Economics and Business, P.◦ de Cartuja, 7, ES-18011 Granada, Spain

Keywords: Open Source Intelligence, OSINT, SOCMINT, Cybersecurity, OSINT Investigation, Cybersecurity Training

Abstract publicly available government data, publications, or commercial

Open-source technologies (OSINT) and Social Media Intel- data that can be accessed for a fee platform (Pastor-Galindo et al.,
ligence (SOCMINT) are becoming increasingly popular with in- 2020). OSINT is a performance-based approach to the target, and
vestigative and government agencies, intelligence services, me- that target can be a person, an organization, or a group of peo-
dia companies, and corporations - but also for cybercriminals in ple. Offers information about the target and the method of use of
email phishing. The amount of public and private data available the advanced collection and analysis strategies, OSINT simulta-
is rising rapidly. neously enhances the knowledge of the target. The information
OSINT and SOCMINT technologies use sophisticated techniques obtained feeds the collection process so you can get closer to the
and special tools to analyze the continually growing sources of goal. Over the past few years, social media has seen a record
information efficiently. This work aims to find descriptive infor- increase in non-active members of their media sharing posts and
mation using the OSINT tools available online. The target will uploading daily activities.
be achieved with the help of dummy accounts that would help un- Where we find the word SOCMINT is a combination of sym-
derstand the tools and evaluate further different tools. Also, find bols OSINT and Web Mining strategies for various types of social
out what tools are commonly used and what improvements can be media data to identify and understand the position of social media
made to make them more descriptive for analysts. by expressing the behavior of people on the platform, which can
lead to privacy troubles and consciously making rational choices
Introduction to change the domain of social media to the favored state can be
Millions of users worldwide are sharing, making connec- a threat to countrywide safety as we have seen in recent years in
tions, and exchanging daily life on earth, and our world has seen the form of Cambridge Analytica scandal. With the amount of in-
change quickly over the past 20 years. The amount of public data formation and data available in the public domain and collection
available is usually free and plentiful. This time can be defined as techniques, things changed over time. While OSINT was based
the ”information age.” However, people may argue that years of on newspaper collection data in the past, public talks and discus-
knowledge have helped society evolve into a digital age with its sions are just a few examples. In contrast, today’s data is open
problems. The digital age has come to a particular danger to soci- to the Internet, and data collection methods are becoming more
ety. In contrast, digital methods are used to create ease of use for and more advanced and accessible to all through the growth of
consumers, but the same thing happens to crime, terrorism, and open-source software development.
other forms of cruel actors. It is a common misconception that the
tactics used to fight crime are divided into categories, which must Methodology
come from confidential sources. The fact is that today, organiza- The research will aim to find descriptive information using
tions have collapsed more on open-source software. Information the online OSINT tools. The target will be achieved with the help
to use the Internet to create new strategies and methods for inves- of dummy accounts that would help understand the tools and eval-
tigating crime, collecting information, and creating a relationship uate all the different tools. Also, find out what tools are commonly
between data. used and what improvements can be made to make them more de-
scriptive for analysts.
Background
OSINT can define a wide range of data collection, from the Research Strategy
attack phase of penetration to data analysis for marketing pur- A wide range of literature was reviewed. Despite its rele-
poses. However, action measures are the same for each model. vance to other research, this is an original study. The study is
Open-source intelligence (OSINT) involves collecting, process- based on a thorough investigation of OSINT email addresses that
ing, and associating public information from public data sources can be used as a basic framework. As part of the investigation,
such as social media, social media, forums, and blogs, which are investigative tools/software were applied to evaluate OSINT on

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--1
Email Addresses using real-life demonstration accounts/groups as OSINT information Gathering Types
appropriate. OSINT resources can be collected using Active, Passive, and
Semi-Passive methods.
Research Approach
• Active Collection
This study began with concrete knowledge of OSINT and an
The method of information gathering in which you are di-
observation of how email addresses can curb security challenges
rectly in contact with the target. Among the features of
or enhance their other positive uses. In doing so, the context of
this process are harvesting technical data about the target
OSINT was applied to real Email accounts.
IT infrastructure through open ports, vulnerability scanning
through unpatched Windows systems, scanning server ap-
Literature review plications, etc. This technique can be risky since the target
The section outlines the basic theory of OSINT, its intelli- may be aware, as the system may leave traces that can be de-
gence cycle, related tools, and aspects of OSINT, focusing on tected by Intrusion Detection Systems (IDS) and Intrusion
Email and its benefits. Additionally, it examines intelligence in Prevention Systems (IPS). The activated collection also in-
general and open-source intelligence (OSINT) in other categories. cludes going somewhere physically and talking to someone
Pastor-Galindo & Nespoli describe OSINT as a contempo- (social engineering attack on the target).
rary phenomenon. They examine it comprehensively, focusing • Passive Collection
primarily on the services and techniques enhancing cybersecurity. Gathering data with the quiet observation of data gener-
Firstly, the paper strives to analyze this system’s strong points ated by the target is one of the most common forms of data
and suggest various ways it can be used in cybersecurity. On the collection. A few examples of this include shoulder surf-
other hand, it tends to cover the restrictions once adopted. Since ing, eavesdropping, and studying maps. Many OSINT data
there is a lot to be explored within this extensive field, there can are collected passively using publicly accessible resources
be some open challenges that have to be addressed in the future. and can be conducted remotely. This process can be per-
Moreover, it is also concerned with the role of OSINT within the formed anonymously through virtual machines, VPNs, and
public sphere, which represents an ideal environment to utilize the Dark Web (TOR). When passively collecting data, find-
open knowledge. ing the most reliable information is difficult. This results in
This paper by Michael Glassmana & JuKang introduces the a lack of deeper analysis.
concept of Open-Source Intelligence (OSINT) as an essential • Semi-Passive Collection
component of understanding human problem-solving in the 21st The collection process that falls between active and passive
century. As a result of the emergence of the Internet and the grow- is in this category. The target servers are sent a small amount
ing dominance of the World Wide Web in daily life, many aspects of traffic to gain a general understanding of them through
of OSINT reflect the altered relationship between humans and in- this data collection method. The traffic is designed to look
formation. This paper discusses changes in intelligence concep- like regular Internet traffic in order not to draw attention to
tions brought about by the Internet and the Web. This paper aims your reconnaissance operation. Rather than profoundly ana-
to explore how the Internet can be used to enhance and extend lyzing the target’s web resources, you conduct a light review
the use of fluid intelligence. Our paper proposes open-source pro- without alarming the target.
cesses and ethos as a model for a new form of intelligence.
Throughout this paper, Adel & Cusack discuss why OSINT OSINT can be categorized into different categories based on
is vital for intelligent forensic investigations and why the quality where the public data is located
of retrieved information is crucial for conducting digital forensic • Internet:
analysis, which can provide crucial evidence against organized • Academic Publications
crime, fraud, and murders and even help trace terrorist activities. • Geospatial data
Since there is a focus on retrieving high-quality data from tools, • Corporate paper
determining which tools provide significant advantages in data • Media channels
analyses is more critical than ever. It can provide links to other
case-related and unrelated databases. Tool comparison for Email OSINT analysis
This section introduces and demonstrates different tools for
What is open-source intelligence (OSINT)? email-related intelligence analysis from the platform using open-
Open-source intelligence (OSINT) is a concept that refers source information. Various workflows and usage examples will
to any publicly available data used to fulfill a specific need for be shown for each of the tools. Platform tools range from simple
information. Open-source intelligence (OSINT) collects and re- queries, usually free of charge, to more extensive infrastructure
views freely accessible data from web media. Open-source in- solutions that allow multiple queries on a large data set.
telligence (OSINT) is information from public sources like the Using machine learning and advanced filtering tactics,
Internet. However, the term isn’t strictly limited to the Internet; these solutions optimize both the process and the outcome. A
it means all publicly available sources. The Conclusion from all substantial budget and team are needed to implement many
the possible definitions is: In contrast to closed or private data, solutions corporations and governments use. Due to this, access
OSINT is extracted from publicly available information sources. to this kind of solution is limited. There are, however, many
It creates valuable insight and knowledge about the topics that excellent open-source tools that help users conduct powerful
Open-source intelligence addresses. searches. This paper aims to identify the set of tools based on

IS&T International Symposium on Electronic Imaging 2024

328--2 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
the use cases and the principal utilities. Each tool shown in this • Finder
thesis is freely available via the Internet. The Finder has two options to look for:
1. Email Finder
List of used tools: 2. Author Finder
• Hunter With the Email Finder, you can find a professional email ad-
• Emailable dress based on a name and a domain name. Using the data,
• Phantom Buster we have about the given domain name, we can guess the
• LeadFuze email address from our database. Eventually, we verify the
• Email Harvester address or return the information with a confidence score.
• Simple Email Reputation
• Email Header Analyzer
• Google Admin Toolbox Message header

Hunter
Hunter is a web application looking for email finder and
verification help running email campaigns. Using Hunter’s
services, professionals can connect with people who matter. The
application founders are François Grante and Antoine Fink.

Demonstration:
Figure 2. Screenshot of Hunter.io

• Domain’s search
Domain search allows the user to look for relevant verified • Author finder:
mail, and the pattern can be determined with the mail avail- With the Author Finder, the user can find out who wrote
able in the public domain. This search provides a personal an article and their professional email address. Based on
and generic view as well. the application’s information about the domain name of the
• Type filter given article, we can guess the email address or search for
Show only personal or role-based email addresses. it in our base. Based on the result, the application provides
• Email pattern confidence that it is a genuine email address.
The most common email format used in your organization
can be identified by selecting from dozens of combinations.
• Find someone
Enter the person’s name, and the user will be given their
email address.
• Score & verification
Obtain a confidence score or list of verified email addresses.
• Save a lead
Any email the user receives from your leads can be exported
or imported straight into your favorite CRM.
• Sources
Almost every email address has public sources that the user
can check and the last discovery date.
Figure 3. Screenshot of Hunter.io

• Verify
Using Email Verification, the application can check a recip-
ient’s deliverability without emailing. It verifies the format,
domain information, and responses from the mail servers to
verify that an email address can be used. The example be-
low is about a current employee and an old employee. The
older employee is Invalid as it is disabled, while the current
employee’s mail is valid. This section in the application pro-
vides information about the format, type, server status, and
email status.
• Bulks
The bulks option in this application allows the user to per-
form various tasks simultaneously. The task includes do-
Figure 1. Screenshot of Hunter.io main search, email Finder, author Finder, and email verifi-
cation.

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--3
Figure 4. Screenshot of Hunter.io

• Campaign Figure 6. Screenshot of Hunter.io

The campaign features allow the application user to run a
campaign for multiple mail IDs with options or follow-up
and provide the performance chart of the whole campaign. The extension also provides information about the source
The campaign feature allows the user to set up the content of the mail address. The extension provides the most com-
with an option of follow-up emails. The next step is set- mon pattern: {last}@talon.one. When available, Hunter’s
ting up the audience or the target for the campaign. After Chrome extension will also return other information about
the campaign starts, all the emails are within a period. The the mail, such as:
statistics show various stats about the number of emails sent, 1. Full name
the number of emails opened, the number of clicks on the 2. Job Title
mail link, and the number of replies. The activity section 3. Telephone number
shows notifications about the campaign, such as the update 4. LinkedIn profile
of mail opened, clicked, or replied to. 5. Twitter profile
When the user uses this add-on feature for the 1st time, the
add-on will ask you for your API key before connecting to
your Hunter account.
The next is MailTracker by Hunter. This extension lets the
user know whether the recipient has opened the mail. To
add the email tracker, the user must add the extension to
the Chrome browser and then sign in with the user’s Gmail.
Currently, the feature works with Gmail only.

Figure 7. Screenshot of gmail.com

Figure 5. Screenshot of Hunter.io

The feature also shows the number of times the recipient has
• Add-ons
opened the mail.-
Hunter has add-on features like Chrome extension, Google
• Limitation
Sheets add-on, mail tracker, and templates. All these fea-
You can perform several email verifications per month based
tures are easy to use. Chrome extension allows the user to
on your monthly verification quota. A limit is set per do-
get the email address of the website it is currently browsing.
main: you can verify 200 email addresses per 24 hours from
Steps to add Chrome extension:
a single domain name. Bulk email verification allows for a
1. Search Hunter’s Chrome Extension page. maximum of 10,000 emails to be verified.
2. Then click + Add to Chrome” button.
3. Click the Add extension button to confirm. Emailable
After the extension is installed, it allows one to find email Emailable is a Fully equipped email verification solution.
addresses with a simple click while you are on the website. Sending emails is not sufficient. They must be delivered. Deliver-
ability and ROI for your email marketing campaigns will increase
1. Go to the website you want to get the email address with one of the most affordable and reliable mail-checking
for. services.
2. Click on the extension icon in your browser.
Using that method, you can find all the email addresses with Demonstration:
the same domain (i.e., finishing with Talon.One) we found The emailable web application has various categories: bulk,
on the web, along with the URL where each address was monitor, single, and API. The bulk category allows for the cre-
found. ation of a list of targeted emails. The list can be added to the bulk

IS&T International Symposium on Electronic Imaging 2024

328--4 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
by the computer using the copy-paste method or by connecting
two third-party applications. Once the mail IDs have been added
to the list, can we proceed with verification and other informa-
tion?
The application provides a view of mail that is deliverable
and undeliverable. The reason for mail being decided as unde-
liverable would be a non-existent email address, suspension of Figure 9. Screenshot of Emailable

mail, or other reasons such as termination of an employee’s mail

ID. The other outputs from this application would be risk, du-
features need to be enabled after the payment is done.
plicity, and other unknown reasons. The reasons for the risky
email category would be low quality or low deliverability. The
Phantom Buster
unknown reasons would be no content, time out, unexpected er-
Phantom Busters is a data extraction solution designed
ror, and SMTP unavailability.
to help marketing and sales teams across businesses of all
sizes collect information on LinkedIn, Twitter, Instagram,
Facebook, and other forums for convenient customer relation-
ship management. The forum also enables administrators to
automatically schedule and execute actions such as following
profiles, liking posts, posting customized messages, receiving
requests, and more to share hopes for increasing the visibility
across the web and turn any webpage you know into the source
of information. Phantom Buster will visit the webpage on
your behalf and gather the information for you. Phantom can
do any action on the web. It is efficient and works 24/7. The
main goal of Phantom Buster is to quickly set up automatic and
essential growth strategies for non-technical users and be creative.

Demonstration:
Creating a spreadsheet is the base for users of any Phantom
Buster categories. The spreadsheet setup is essential.
In column A, enter a list of full names, one person per row.
Having first names in one column and last names in another is
also possible. After that, enter the names of the corresponding
companies (or websites) for each person.
A column titled ”name” should be used for the full name,
while a column titled ”company” should be used for company
names.
Make this spreadsheet public so Phantom Buster can access
it.

Figure 8. Screenshot of Emailable

The email IDs tested on this application were from various

organizations. Two employees are currently working in the or-
ganization, while two employees have left the organization and
a startup-based mail ID. The application also has an Email Veri-
fier, which provides an excellent visual view of the verified mail.
The application also allows the user to set up the monitored list,
automatically allowing seamless email verification. Take respon- Figure 10. Screenshot of Phantom Buster
sibility for cleaning the email list. The monitoring list can be set
up with the help of a simple integration using APIs for various After saving the Emails to find. The following task behavior.
kinds of applications like HubSpot, Intercom, Campaign Moni- Here, the user will enter the number of spreadsheet rows to
tor, Active Campaign, Shopify, and various other applications. process per launch, name your results file, and Fields to keep in
The application also allows the setup of an API using JSON. the CSV file. The next step is Email discovery. There are various
options for email discovery services from various services, such
Limitation as Phantom Buster, Dropcontact.io, Hunter.io, and Snov.io. I
The application shows a lot of false-positive results. The have used the Phantom Buster service and clicked on save. In
use of the application in its free version is limited. Most of the the settings tab, I used Launch Manually, and in notifications, I

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--5
selected in case of error option to get notified in case of error and
clicked on save. After the launch process is complete, download
the CSV file that contains the email address, qualification, phone
number, job profile, etc. The output CSV contains the email
address, qualifications, phone number, job profile, etc, that can
be used further.

Limitation:
The web application has limited access during the trial pe-
riod. The execution time is just 2 hours, while only five searches
were possible.
Figure 12. Screenshot of LeadFuze
LeadFuze
LeadFuze is a Lead Generation Software that provides ad-
vanced communication data. It uses Artificial Intelligence to find
specific clues in specific fields and industries. They are used by
sales, hiring teams, and marketing organizations. Key features
offered by LeadFuze software include automated listing, reliable
email access, and a focus on exciting prospects.
Get the contact details of any business professional. Get
contact details and social media profile information such as
Facebook, LinkedIn, Instagram, etc. Search all market segments
or specific people or accounts. They are used by retailers,
employers, and advertisers in marketing agencies, employees, IT,
and start-ups.

Demonstration:
LeadFuze consists of different searches, such as market- Figure 13. Screenshot of LeadFuze

based or account-based. Market search helps search the organi-

zation by accepting various filters like the industry in which the
role for which currently hiring. The employee’s section shows the
organization lies, Location, Number of employees, and year in
current employee members of the organization.
which the organization was founded. Other factors include the
The following important part is account-based search. The
monthly budget, the technology used, posts for which the organi-
account-based search allows the user to look for people using their
zation is hiring, and News.
first name, last name, company name, and role. When searching
using an account-based search, click on account-based search, add
the first name, last name, company name, the role of the person,
etc., and click on start searching.

Figure 11. Screenshot of LeadFuze

A market-based search allows users to look for an extensive

search area. They can choose from small businesses to large com-
panies. Figure 14. Screenshot of LeadFuze
The output shows a range of people from the Computer Soft-
ware and Internet Technology Industry in Berlin, Germany. The It also offers filters such as required mail, contact number,
employee sizes defined are 500-1000, founded in 1995. mail address, etc., and one can check the employment status.
The application provides information about the person the Further, we can add the results to the lists to get detailed
user selects. Personal information like LinkedIn profile, years of information.
experience work, skills, estimated salary, job history, time in the
latest role, and interests. Company details like year found indus- Limitation:
try, employee size, the technology used, and information about the LeadFuze is a little challenging to use initially. It is hard to

IS&T International Symposium on Electronic Imaging 2024

328--6 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
Figure 15. Screenshot of LeadFuze
Figure 17. Screenshot of emailharvester

find enough double-verified leads in the categories needed. When

people leave jobs or change positions, it’s not always updated.
Some things are difficult to see, but getting answers quickly with
live chat.

Email Harvester
In this package, you will find Email Harvester, a tool to re-
trieve Domain email addresses from search engines.
Email harvesting or scraping can obtain email address lists Figure 18. Screenshot of emailharvester
through various methods.

Demonstration Search in all engines/sites but exclude some:

The EmailHarvester helps retrieve domain email addresses emailharvester -d example.com -e all -r twitter,ask
from search engines. It is a GitHub-based application and runs Limit results
smoothly on Kali Linux and Parrot OS. This is a straightforward emailharvester -d example.com -e all -l 200
but very effective one in the early stages of a penetration test or Export emails
when trying to determine the visibility of a company online and emailharvester -d example.com -e all -l 200 -s emails.txt
getting Started with Email Harvester. Proxy Server
The user needs to clone the application from GitHub. Be- emailharvester -d example.com -e all -x
fore cloning the application, the essential requirement needs to http://127.0.0.1:8080
be fulfilled. The basic requirements are Python 3.x, termcolor,
colorama, requests, and validators. Most of the requirements are Limitation:
covered in Kali Linux. Most importantly, Python must be above The result is not decisive, and the result varies. The output
version 3 after covering all the basic requirements. The next step provided is limited using emailharvester.
is cloning the application from GitHub.
Cloning involves two basic steps:
git clone https://github.com/maldevel/EmailHarvester and Simple Email Reputation
pip install -r requirements.txt. EmailRep is an arrangement of crawlers, scanners, and
advancement benefits that gather information on email locations,
areas, and web personas. EmailRep utilizes many elements from
online entertainment profiles, proficient systems administration
destinations, dull web certification spills, information breaks,
phishing units, phishing messages, spam records, open mail
transfers, space age and notoriety, and deliverability, and more to
foresee the gamble of an email address. There are hundreds of
factors considered by EmailRep, such as the domain age, traffic
rank, presence on social media, professional social networking
sites, personal connections, public records, deliverability, dark
Figure 16. Screenshot of emailharvester web credentials leaks, phishing emails, and emails sent by threat
actors.
When the installation is done, the user can start using the
tools with a simple command like the one below: Demonstration:
Search in Google The free version of Simple Email Reputation allows users to
emailharvester -d getyourguide.com -e googleplus test 250 monthly queries and up to 10 queries/day. There is a paid
Search the site using Search engines: version, which is commercial and enterprise. Commercial allows
emailharvester -d getyourguide.com -e linkedin users to email and have 1000 queries per month and no daily limit
emailharvester -d getyourguide.com -e twitter with Email.
emailharvester -d getyourguide.com -e googleplus Input: [email protected]
Search across all engines/sites: Output: High Reputation
emailharvester -d granny.co -e all Not suspicious. We have not sent any direct reference to this
Output: Email, but the sender’s domain is highly reputable. The Email is

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--7
Figure 19. Screenshot of Simple Email Reputation

deliverable, but the mail server accepts all the Email addresses.
No malicious or suspicious activities are found from this address.
Figure 21. Screenshot of Email Header Analyzer

suspicious sender.
The next important thing that can be useful is IP addresses.
The application also provides information regarding the
header. In this section, the output of each header description in-
cludes both a description and a formatted and decoded header, if
Figure 20. Screenshot of Simple Email Reputation available.

Input: [email protected]
Output: Risky
Suspicious. The email address is not found on the Internet,
and there is no primary profile on LinkedIn, Facebook, or other
social media accounts. A lack of digital presence may indicate
that this is new and can be suspicious mail. The domain has a low
reputation. The email address is deliverable, and the mail server
accepts all the emails.

Limitation:
The application does not provide a proper output and can be
a false positive output.
Figure 22. Screenshot of Email Header Analyzer
E-Mail Header Analyzer
An email header can be checked and analyzed with this tool. Information like delivered to Return-Path, X-Google-SMTP-
Received lines are displayed separately, and the data is displayed. Source, Authentication-Results, message-ID, DKIM-Signature
The tool is all about providing information extracted from the with an explanation for each information shown.
header of any mail. Information like Time Overview, Descrip- This tool helps to get a person’s IP address. This can be a
tion, Received Details, Public IP Addresses, and Header Descrip- helpful thing in case of fraudulent activities. This application can
tion (Recipient hostname, Sender hostname). The tool is available help police keep track of information regarding any suspicious
for free. The owner of the tool is Gaijin. activities.
To use this tool, the user needs to get the header of the
particular mail about which the user needs more information. Limitation:
The header needs to be pasted in the box and searched. The application is free, and there is no control over who will
use this service. IP addresses failing into the wrong hands can
Demonstration: be dangerous. That login page and security are essential for this
Once the header is copied, paste it into the box and click service to be used.
enter.
After clicking enter, the output will have a systematically Google Admin Toolbox Message header
arranged header, time overview of the mail, description, and other This is another Email Header checker. These tools provide
information. more accurate information regarding the mail using its header.
The time overview will provide information about the The Gmail headers are crucial in revealing sensitive information
sender, receiver, and the cycle from where the mail has traveled about the sender and other aspects of your network. Thus, one will
to the end recipient. It will also show IP addresses. likely find sensitive information if one carefully analyses Gmail
The description will show a proper timeline for the mail. headers. The Gmail header contains the following elements:
The receiver details more information about the sender until Delivered-to: This field indicates the email address of the
it reaches its target. Here, a warning will be raised regarding any recipient. It usually contains the same email ID used to analyze

IS&T International Symposium on Electronic Imaging 2024

328--8 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
Gmail headers. Findings
The email header indicates which SMTP server the message Based on statistical analysis, we found that each tool pro-
was received from as indicated by the ”Received By” element: duces a different result, has different usability, and, most impor-
tantly, has a different benefit. The following information has been
1. Server’s IP address summarized in the following table after carefully comparing the
2. SMTP id of the server visited tools, how they operate, and how widely they are used.
3. Time and date at which SMTP received a message The Findings from the analysis of these tools are attached in
the table below.
Email addresses include a header field called X-Received to in-
dicate the presence of non-standard headers. Among its contents Use Cases
are: The focus of the study in this section is to design the use
case for some tools when it comes to Email addresses, which
1. In the case of a message received by a server, the server’s IP allowed the study to select specific tools to achieve results for
address, different scenarios in the study. Intelligence can be found by
2. contains the server’s SMTP email, emailing sentiment, emails, and sentiment analysis. As Email is
3. contains the time and date when the Email was receive.d one of the best platforms for searching for people and gaining
that person’s information to emails form it into intelligence, the
Signature DKIM: The DKIM signature header contains a file information that Email can provide can be more accurate since
email containing the digital signature embedded in the Email. most of the target organization’s email addresses are available.
The mail server maintains another authentication key to allow Most ransomware attacks take place through mail when targeted
data sharing with secure encryption. towards a specific target. In this case study, we will try to get
information about suspicious/Ransomware mail. Therefore, to
Demonstration: perform a thorough analysis on which further investigation can
The Google admin toolbox helps to get information from the be based, it is necessary to collect relevant data for the analysis,
header. Paste the header acquired form through Gmail. which creates a problem in understanding the means and scope of
the research; it is also necessary to establish a foundation of facts.

Problem description:
The use cases are an example of Blackmailing mail and
Lottery/Fund Mail. There is an email received on the target mail
addresses. The mail has blackmailed the person to reveal the
secret of the business accessed by the sender. The sender has
demanded a Bitcoin to solve this issue. Another example is a
person trying to send money to the target by making an emotional
and nationality-based connection. The solution here would pro-
vide how an investigator can use your email analyzer and other
tools to get information about all the relevant parties, like the
organization whose server has been used. All this analysis will
be done using the email header. Email headers serve as passports
for your messages. Each email server it encounters inserts entries
into the header along the way. Therefore, the longer the header,
the more servers route the Email. The ransomware threat is not
possible using Google Mail.
Figure 23. Screenshot of Google Admin Toolbox Message header

•Blackmailing mails
The output in the figure below will have information about A lot of information is contained in email headers.email
the message held, created at, from, to, subject, and DKIM. readers will only see the subject, the sender’s Email, and other
information.
Here is an email that can help the investigator find the
sender’s information, like IP address, server information, etc. The
investigator will use the mail header to collect more information
about the sender. The header can be accessed by clicking on the
show original option in the Gmail account.
The user will now copy the header from the mail. This
Figure 24. Screenshot of Google Admin Toolbox Message header header will be pasted into the Email Header Analyzer or Gmail
Email header tool. Now, the header will be pasted into the ana-
The other part of the output shows the entire timeline from lyzing tools.
the destination to the recipient. The timestamp is from when it is The header will then be analyzed using the Google Gmail
received and the protocol. header tools. To investigate suspicious mail, it is essential to know

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--9
Figure 25. Screenshot of Google Admin Toolbox Message header (Use Figure 27. Screenshot of Email Header Analyzer (Use case)
case)

for this suspicious activity. For more information regarding the

server, the investigator can use Passive Total’s website.
who, what, and when it is. The analyzer provides this informa- Passive Total gathers data from the entire web, extracts in-
tion. The output will provide a timeline of the mail travel from telligence to identify threats and attacker infrastructure, and uses
the sender server to the recipient. The image (Figure 25) shows machine learning to scale threat hunting and response. Using
information about the server that starts the mail until it reaches Passive Total, you get contextual information on who is attack-
the recipient. This Email is created when the first email server re- ing you, their tools, and their systems, as well as indicators of
ceives the Email from the sender’s computer. This entry includes compromise from inside and outside the firewall. The application
information about the server hosting the email web application if provides features like Rapid Threat Investigation and Scale Threat
the client is web-based. Hunting Automate Response.
Here, the investigator needs to paste the acquired address.
The output received provides information like a heatmap (Inform-
ing the duration of time the server has been used)

Figure 28. Screenshot of Passive Total (Use case)

Figure 26. Screenshot of Google Admin Toolbox Message header (Use

case)
The website provides resolutions, WHOIS, certificates, sub-
domains, trackers, components, and other information.

The sender or the attacker when is sending spam messages

to the target. The attacker will send multiple spam messages. All
this will be done from a rented server. When the server is rented,
the attacker requires a provider already in the network. For this
very reason, the attacker scams the provider. For this use case, Figure 29. Screenshot of Passive Total (Use case)
the sender or attacker scammed the software-as-a-service provider
(srv1.primesaas.com.br). The attacker will use a fake credit card The resolution shows the IP addresses, location, network,
or phishing for the admin Gmail and mail account. and first and last seen.
The important thing here is that the attacker has rented the As the last seen is April 30, 2022, the addresses still share
server, and this server is essential. In this use case, the server spam mail. This also means that the attacker has not used any
is rented from France. Later, they hacked the service provider hacked credit card. This is because the provider will recognize
from Brazil (srv1.primesaas.com.br). Before starting the techni- the hacked credit card.
cal analysis, it is essential to inform the service provider (nucle- The next part is getting to know who owned the domain. The
odeturismo.com.br) that their mail server was hacked. Here, the WHOIS section here will help to get information regarding the
investigator can contact the service provider by visiting the do- provider. Here, the information will help get a handle on someone
main and looking for ways to contact them. This is to inform responsible for the whole ransomware issue.
them about their mail account being hacked so that they take all The WHOIS section provides information like Registrar and
the preventive measures. Email. Status of the domain, name (Not visible to the average
For more information, the investigator can use the Email user but will be visible to police), organization, and other infor-
Header Analyzer, which will help them gain information like the mation. Now, the police or the investigator can contact the domain
IP addresses and timeline of the mail. owner using the information gained through a mail address like
The primary investigation starts here; the attacker here is [email protected] so that they can take the required measures against
vps-74188.fhnet.fr. VPS is a virtual private server that is used the possible misuse of their domain.

IS&T International Symposium on Electronic Imaging 2024

328--10 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
 Figure 32. Screenshot of Google Admin Toolbox Message header (Use
case)

An IP address may or may not be allowed to be sent from that do-

main if a soft fail occurs. Despite being marked as suspicious, the
mailbox provider will nonetheless accept the message. Mailbox
providers use other data points to make a filtering decision, so a
soft fail is not always the source of deliverability problems.

Figure 30. Screenshot of Passive Total (Use case)

The name here is Anonymous, as due to GDPR in the EU,

data privacy/ data protection is critical. It will always be anony-
mous for average users, but for police, the name will be visible. Figure 33. Screenshot of Google Admin Toolbox Message header (Use
The police can now use the IP address and contact the case)
domain provider to get information about the payment method
or details to get hold of the attacker involved in the phishing or The next task is to look for the person responsible for the
ransomware. whole mail. Using the Google Email header tool, we found
vps.pesisirselatankab.go.id as the real culprit. The common thing
•Lottery Mails in both use cases is VPS, a virtual private server.
Here is a mail about someone sending money to the target The domain here belongs to Indonesia, which is suspicious
using the nation link. The Next use case is about a user receiving for a person in the United States of America. Now, using Passive
mail about money stored in the United States of America. The Total, we can find more information.
scamster here is looking for a target who is greedy by offering
3500000 dollars.

Figure 34. Screenshot of Passive Total (Use case)

The heat map we got from the Passive Total shows the do-
main has been online since February 3 and is still working. The
domain is still being used to send spam messages.

Figure 31. Screenshot of Gmail Inbox (Use case)

Figure 35. Screenshot of Passive Total (Use case)
Now, use the same tools as the Email Header Analyzer or
Google Email Header tool to get more information about the In the resolution session, we found the network the domain
scamster. Using the Gmail Email header tool, we get to know belongs to with the IP addresses. The next important thing is
the domain as previously demonstrated. Now, use the header ex- the WHOIS section. Here, the information gathered is much less
tracted from the source in the Gmail account. We use the header than in the previous example. This shows that data gathered using
in the Google email header analyzer. various tools depend on various factors like the location of the
Here, we found SPF showing a soft fail with IP Unknown. target and the scamster with the domain location.

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--11
 Figure 37. Screenshot of Passive Total (Use case)

Figure 36. Screenshot of Passive Total (Use case)

The previous use case had direct information about Name,

Organization, Domain status, and Email. In this use case, the Figure 38. Screenshot of Gmail Inbox (Use case)
domain status is prohibited, and the domain Email is shared.
In the previous case study, we found the Email and the orga-
nization’s name. The Who Is section has another part where we email header analyzer.
can find the location as Jakarta, which is shown.
The information gathered here is mail addresses with domain
pandi.id and organization name, the Ministry of Communication
and Information Technology in Indonesia. As we find the domain
name, we can inform the domain provider about their server
being misused for scamming people. The domain found here is a
domain provider in Indonesia. Thus, the investigator can inform
the domain handler that their domain has been compromised and
used to scam people. Figure 39. Screenshot of Google Admin Toolbox Message header (Use
case)
•Mail for Money transfer
The subsequent use case is about identifying similar phishing The header will then be analyzed using the Google Gmail
mail. The mail received is about sharing the wealth of a minister header tools. There is an odd 11-minute delay at the beginning,
in Guinea Bissau. The mail uses a respectable and well-known which may indicate an overloaded spam-sending server. There
person to make it look legitimate. The mail here is about sharing is a possibility of false positives due to time differences between
30% of $60 Million. This is a phishing, where the user needs to servers. To investigate suspicious mail, it is essential to know
request funds. Making the user share the bank details as the user who, what, and when it is. The analyzer provides this information.
falls into the trap. The output will provide a timeline of the mail travel from
Now we will try to investigate this mail. Using Google Email the sender server to the recipient. Let’s take a closer look at this
Using the Gmail Email header tool, we get to know the domain entry. In the Emails entry, the from part indicates the source of
as previously demonstrated. Now, use the header extracted from the Email for this leg: User. After the email origin, you’re taken
the source in the Gmail account. We use the header in the Google to mail.shako.com.tw. Whenever an email server encounters this

IS&T International Symposium on Electronic Imaging 2024

328--12 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
 enough to understand that the mail is phishing and thus can be
reported. Using this tool, companies can set up filters accordingly
and thus block or mark the mail as spam to prevent companies’
employees from falling into the trap.

Result Analysis, Conclusion, and Future

Scope

Figure 40. Screenshot of Google Admin Toolbox Message header (Use Analysis
case) Every OSINT tool behaves and approaches situations dif-
ferently depending on the scenario, which changes the tools and
settings every time. Section V offers a complete breakdown of
header entry, it adds another one below it. There is a high like- each OSINT tool and its primary findings. Each tool is explained
lihood that this email server is under the control of a malicious and demonstrated as the limitation of these tools. Depending on
sender. This information should not be trusted. It is still worth the use cases associated with intelligence gathering and analysis,
investigating. We should try to determine the location of the these tools can be helpful individually and together. An author
email server. After seeing the delay and the domain provider, the has created a table to find a solution to this problem, where dif-
sender’s mail address [email protected] is fake. Thus, the investi- ferent tools are shown without undermining the effectiveness of
gator can inform aol.com about a possible breach in their domain. the other tools. Based on their effectiveness, the ten tools listed in
For more information regarding the server, the investigator Appendix A have been selected from 115.
can use Passive Total’s website. The heat map shows that the
Each tool provides different types of information. Typically,
domain mail.shako.com.tw has been live since February 1, 2022,
OSINT tools for Email have the primary function of obtaining the
and is still alive.
Email address of a targeted individual from an organization. Table
VI illustrates that many tools have different features, all of which
are considered while analyzing tools. The best tool selection re-
lies on which works in most cases when analyzing large data sets.
The author found the tool hunter to have the most required fea-
tures to work with different methods and with more accuracy than
others. These tools have many good features like Domain Search,
Email Finder, and Verifier. There is also an option for Bulk tasks
where the user can run or perform all the features with multiple
inputs. The Email Analyzer is an effective tool that police can use
Figure 41. Screenshot of Passive Total (Use case)
to investigate fraud mail to catch such culprits or for companies
to set up filters to prevent employees from getting phished.
The investigator can look into the resolution and WHOIS
sections to get more information about the organization’s IP, Conclusion and limitations
Email, and name. This study suggested that OSINT tools could be a good
source of information about mail addresses from any organiza-
tion during a demonstration and analysis of the OSINT tool for
email addresses. People tend to keep a lot of data in their email
addresses that can be analyzed in many ways and based on differ-
ent data models, which are significant resources in data collection,
mining, etc. The data can be the location of the person, the history
of the person, and other things. When used as digital footprints,
data can be analyzed simultaneously across various targets with
fewer resources than traditional data gathering, processing, and
analysis methods. Automating the analysis of big data sets with
a set of tools is very important. The analyst selects the toolset
from the list of use cases and scenarios, even though the author
Figure 42. Screenshot of Passive Total (Use case) has found a list of tools with these features. In analyzing the
toolset, researchers found that users can access only public data
Using the tool on the domain mail.shako.com.tw, we found via these tools, regardless of the location from which they access
that the server is based in Taiwan. A genuine person requesting the data. If the researcher has significant funds to spare for the
help would instead use a legitimate server from the country in task, it is possible to consider premium plans available after the
which they are located. The person won’t use a server in Taiwan basic plan. Most tools offer data export functions as well. Once an
to get help. Email address is found or identified, various hacking techniques
The information collected until now is the location of the like Phishing (Email spoofing), spear phishing, and dictionary at-
server and the delay time in sending the mail. This factor is tacks are used. Thus, the account or mail address is subject to a

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--13
possible attack. These tools can be used for phishing campaigns [8] Kali Linux, https://www.kali.org/tools/
as part of security awareness training. It is not difficult to identify emailharvester/
a phishing email. Emails can be automatically rejected or quar- [9] Hatice Ozsahan,“Top 15 Email Finder Tools: Pros and Cons
antined by SPF, DKIM & DMARC. Before enabling any form of + Reviews for 2022”, https://popupsmart.com/blog/
email security, organizations should think deeper. email-finder-tools,
[10] A. Adel, B. Cusack, “INVESTIGATIONS: OPEN-
Future work SOURCE INTELLIGENCE INVESTIGATION
ANALYSIS” https://www.semanticscholar.
An improvement in OSINT-based investigation of email ad-
org/paper/INVESTIGATIONS3A-OPEN-SOURCE-
dresses requires further research. When email addresses are in-
INTELLIGENCE-ANALYSIS-Adel-Cusack/
putted, optimizing and developing current tools is essential to get
64e9d103a1d1a3a53b840e3f54d23d77982f08f1
more information from them. Additionally, a tool with higher ac-
[11] Javier Pastor-Galindo, Pantaleone Nespoli, Félix Gómez
curacy is required. However, there are a limited number of tools
Mármol, Gregorio Martı́nez Pérez, “The Not Yet Ex-
available now. Thus, more tools are required. There should also
ploited Goldmine of OSINT: Opportunities, Open Chal-
be tools that can break apart closed groups. As part of the inten-
lenges and Future Trends,” https://ieeexplore.ieee.
tion to expand the tool collection beyond the current collection,
org/document/8954668,
it may be possible to analyze and demonstrate other tools in the
[12] Michael Glassmana, Min JuKang, “Intelligence in
future. Comparing the premium features of open-source tools in
the Internet age: The emergence and evolution
this study would be very interesting, primarily since the study fo-
of Open Source Intelligence (OSINT)”, (2012),
cuses on open-source tools. Several tools were demonstrated in
https://www.sciencedirect.com/science/
this study with premium features and capabilities that could be
article/abs/pii/S0747563211002585,
extremely valuable for users who need a set of tools of the highest
[13] Schwarz, Klaus; Franziska Schwarz, Reiner Creutzburg:
quality.
“Conception and implementation of professional labora-
tory exercises in the field of open source intelligence
Acknowledgments (OSINT)”. Proceed. Electronic Imaging Symposium 2020
This work was supported partially by the European Union in (San Francisco, USA), Mobile Devices and Multime-
the framework of ERASMUS MUNDUS, Project CyberMACS dia: Technologies, Algorithms & Applications Conference
(Project #101082683) (https://cybermacs.eu). (MOBMU) 2020, https://doi.org/10.2352/ISSN.
2470-1173.2020.3.MOBMU-278, (Last access: Nov. 22,
2022).
References [14] Schwarz, Klaus; Reiner Creutzburg: “Design of Pro-
[1] Abdallah Qusef and Hamzeh Alkilani, “The effect fessional Laboratory Exercises for Effective State-of-the-
of ISO/IEC 27001 standard over open-source intelli- Art OSINT Investigation Tools - Part 1: RiskIQ Pas-
gence.” (2022), https://www.ncbi.nlm.nih.gov/pmc/ siveTotal”. Proceed. Electronic Imaging Symposium 2021
articles/PMC8771761/ (San Francisco, USA), Mobile Devices and Multime-
[2] ESTEBAN BORGES, “What is OSINT? How can I dia: Technologies, Algorithms & Applications Con-
make use of it?” (2021), https://securitytrails.com/ ference (MOBMU) 2021, https://doi.org/10.2352/
blog/what-is-osint-how-can-imake-use-of-it ISSN.2470-1173.2021.3.MOBMU-043, Last access: Nov.
[3] INTELLIGENCE COLLECTION ACTIVITIES 22, 2022).
AND DISCIPLINES https://irp.fas.org/ [15] Schwarz, Klaus; Reiner Creutzburg: “Design of Pro-
nsa/ioss/threat96/part02.htm#:~:text= fessional Laboratory Exercises for Effective State-of-
These%20disciplines%20include%20human% the-Art OSINT Investigation Tools - Part 2: Cen-
20intelligence,United%20States%20to%20some% sys”. Proceed. Electronic Imaging Symposium 2021
20degree (San Francisco, USA), Mobile Devices and Multime-
[4] KRIPA THAPA, ”Open Source Intelligence Gathering (OS- dia: Technologies, Algorithms & Applications Con-
INT)”, https://medium.com/infosec/open-source- ference (MOBMU) 2021, https://doi.org/10.2352/
intelligence-gatheringosint-f170973ec000 ISSN.2470-1173.2021.3.MOBMU-044, Last access: Nov.
[5] Nihad Hassan, “An Introduction To Open-Source 22, 2022.
Intelligence (OSINT) Gathering”, https://www. [16] Schwarz, Klaus; Reiner Creutzburg: “Design of Pro-
secjuice.com/introduction-to-open-source- fessional Laboratory Exercises for Effective State-of-
intelligence-osint/, the-Art OSINT Investigation Tools - Part 3: Mal-
[6] “Intelligence Cycle and Process”, https://www.e- tego”. Proceed. Electronic Imaging Symposium 2021
education.psu.edu/sgam/node/15, (San Francisco, USA), Mobile Devices and Multime-
[7] Alec Smith & Steve Cook, “A Guide To Open dia: Technologies, Algorithms & Applications Con-
Source Intelligence (OSINT)”, https://www. ference (MOBMU) 2021, https://doi.org/10.2352/
strategicstudyindia.com/2023/05/a-guide- ISSN.2470-1173.2021.3.MOBMU-045, Last access: Nov.
to-open-source-intelligence.html#:~: 22, 2022.
text=OSINT%20is%20the%20collection%20and,%2C% [17] Kant, Daniel; Reiner Creutzburg: ‘Investigation of risks
20academic%20journals%2C%20public%20events. for Critical Infrastructures due to the exposure of SCADA

IS&T International Symposium on Electronic Imaging 2024

328--14 Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
 systems and industrial controls on the Internet based on tions.
the search engine Shodan”. Proceed. Electronic Imaging
Symposium 2020 (San Francisco, USA), Mobile Devices
and Multimedia: Technologies, Algorithms & Applica-
tions Conference (MOBMU) 2020 https://doi.org/10.
2352/ISSN.2470-1173.2020.3.MOBMU-253, Last ac-
cess: Nov. 22, 2022.
[18] M. S. Wong, N. Hideki and N. Yasuyuki, “The Incorpo-
ration of Social Media in an Emergency Supply and De-
mand Framework in Disaster Response,” 2018 IEEE Intl.
Conf. on Parallel & Distributed Processing with Appli-
cations, Ubiquitous Computing & Communications, Big
Data & Cloud Computing, Social Computing & Network-
ing, Sustainable Computing & Communications https:
//ieeexplore.ieee.org/document/8672243, (Last ac-
cess: Nov. 20, 2022).
[19] T. Sakaki et al., “The possibility of social media analysis
for disaster management,” 2013 IEEE Region 10 Hu-
manitarian Technology Conference, 2013, pp. 238-243,
https://www.scopus.com/record/display.uri?
eid=2-s2.0-84893406250&origin=inward&txGid=
7adf7d88a2a5fe170927ab1110f2009f, (Last access:
Nov. 20, 2022).

Author Biography
Samrudha Mhatre received his Master’s in Computer Sci-
ence, focusing on Cyber Security in 2022. His research interests
include computer security and OSINT technologies and applica-
tions.
Franziska Schwarz received her M.Sc. in Computer Science
from Technische Hochschule Brandenburg (Germany) in 2022.
Since 2021, she has worked in cyber security consulting with
clients in the public and private sectors. Her research focuses on
Cybersecurity and Management, Data Protection, IoT, and Smart
Home Security.
Klaus Schwarz received his B.Sc. and M.Sc. in Computer
Science from Brandenburg University of Applied Sciences (Ger-
many) in 2017 and 2020, respectively. Klaus is working in tech-
nology consulting as an AI specialist for clients in the public and
private sectors. Furthermore, he is a Ph.D. student at the Uni-
versity of Granada, Spain. His research interests include IoT and
smart home security, OSINT, mechatronics, additive manufactur-
ing, embedded systems, artificial intelligence, and cloud security.
As an SRH Berlin University of Applied Sciences faculty member,
he developed a graduate program in Applied Mechatronic Sys-
tems focusing on Embedded Systems at SRH Berlin University of
Applied Sciences.
Reiner Creutzburg is a retired Professor of Applied Com-
puter Science at the Technische Hochschule Brandenburg in
Brandenburg, Germany. Since 2019, he has been a Professor
of IT Security at the SRH Berlin University of Applied Sciences,
Berlin School of Technology. He has been a member of the IEEE
and SPIE and chairman of the Multimedia on Mobile Devices
(MOBMU) Conference at the Electronic Imaging conferences
since 2005. In 2019, he was elected a member of the Leibniz So-
ciety of Sciences to Berlin e.V. His research interest is focused on
Cybersecurity, Digital Forensics, Open Source Intelligence (OS-
INT), Multimedia Signal Processing, eLearning, Parallel Memory
Architectures, and Modern Digital Media and Imaging Applica-

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024 328--15
 Tool Install- Operating Free Trial Format Benefits Limitations Data Pricing

328--16
ation Platform of Re- Col-
sults lection
Meth-
ods
Hunter easy Web-based 25 searches text account option for teams; API op- credits are deducted most 25 searches and 50
and 50 tion; search features including domain from Hunter for recent, verifications per
monthly search, bulk domain search, ...; veri- generating emails, real-time month; free (paid
verifications fying email addresses, tracking email but Hunter also version with more
campaigns, and sending email drip takes away credits features)
campaigns for validating those
emails
Emailable easy Web-based Limited to graphical helps marketing teams plan campaigns veracity of infor- not limited to credit;
credit by sorting email addresses into multi- mation known free (paid version
ple categories; provides open API, de- with more features)
velopers can connect to common pro-
gramming languages
Phantom easy Web-based 14-day free text helps to find professional email quite pricing is quite real-time 14-day free trial;
Buster trial easily; reduces the complexity of au- high; social media free (paid version
tomating search with various platforms platforms are heav- with more features)
like LinkedIn and Twitter ily emphasized in
software
LeadFuze easy Web-based 25 leads free text quick set-up; high-quality detailed data confusing to use; real-time 25 leads free; free
export limits; au- (paid version with
tomation limits; more features)
pricing is high
Email Har- moderate runs on unlimited text output is specific to the command output is not real- stored unlimited; free
vester virtual time; needs virtual data is
machine machine reveal
Simple easy Web-based 250 queries test easy to use; provides good information accuracy of the in- real-time 250 queries per
Email per month, formation month, up to 10
Reputation up to 10 queries/day; free
queries/day (paid version to use
more features)
SpiderFoot easy Web-based 5 scans test easy to use; good detailed information paid version needed Unknown 5 scans available
HX available to enable many fea- and 1 target per
and 1 target tures; limited time scan; free (paid ver-
per scan for the scans in the sion to use more
free version features)
AeroLeads moderate Web-based limited to 5 text pricing is relatively good; enriches the improve on their not 5 credits; free (paid
Email credits contact with other details ease of use; accu- known version to use more
Finder racy needs to be im- features)
proved

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
IS&T International Symposium on Electronic Imaging 2024
 E-Mail easy Web-based unlimited text easy to use; good results (information is accuracy needs to most free
Header produced) be improved recent;
Analyzer real-time
Google easy Web-based unlimited text easy to use; good results (information is accuracy needs to most free
Admin produced) be improved recent;
Toolbox real-time
Message
Header
Table 1: List of tested and recommended OSINT-based Email investigation tools

IS&T International Symposium on Electronic Imaging 2024

Mobile Devices and Multimedia: Enabling Technologies, Algorithms, and Applications 2024
328--17