Web activity investigation

The questions below are from the BOTSv2 dataset, questions 100-104. Some additional questions were added.

The focus is on Amber Turing and her communication with a competitor.

Amber Turing was hoping for Frothly to be acquired by a potential competitor which fell through, but visited their website to find contact information for their executive team. What is the website domain that she visited?

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" "beer" | dedup site | table site   

Answer: www.berkbeer.com

Amber found the executive contact information and emailed him. What image file displayed the executive’s contact information? Answer example: /path/image.ext

index="botsv2" 10.0.2.101 sourcetype="stream:HTTP" "www.berkbeer.com" | table uri_path

Answer: /images/ceoberk.png

What is the CEO’s name? Provide the first and last name.

index="botsv2" sourcetype="stream:smtp" "*berkbeer.com"

One of the results is an email sent from mberk@berkbeer.com. Expand the content_body field:

Answer: Martin Berk

What is the CEO’s email address?

Answer: mberk@berkbeer.com

After the initial contact with the CEO, Amber contacted another employee at this competitor. What is that employee’s email address?

Answer: hbernhard@berkbeer.com

What is the name of the file attachment that Amber sent to a contact at the competitor?

index="botsv2" sourcetype="stream:smtp" "amber" 

Answer: Saccharomyces_cerevisiae_patent.docx

What is Amber’s personal email address?

In the email reply to hbernhard@berkbeer.com, under content_body, it is base64 encoded in the field content_transfer_encoding. Decode the content body.

Answer: ambersthebest@yeastiebeastie.com