All,
I am currently analyzing emails with NetWitness, one indicator I typically see used in spear phishing incidents is the use of logging in with a different IP than the sending mail server. I am noticing this behavior mostly with yahoo. Is there a way in NetWitness to create a search to pull up all network related sessions in this way? I am not seeing this as a searchable piece of meta data. I created a regex to try to search with no luck.
Thanks
br0g,
What you are looking to do is to create a parser to pull and create this meta for you. The original IP address is what you are trying to get, which will be a variable.
A parser to addrtess this will match first on the "X-Yahoo-SMTP:" as a token to begin its work. Next it should look for the Received: at the beginning of a line and then capture the IP in question as the variable token you are looking for.