ZeroTrace OSINT
IOC Extractor
Bulk-extract IPs, URLs, emails, hashes, JWTs, AWS keys, MAC addresses, credit-card PANs, and CVEs from messy text.
The IOC extractor takes any unstructured text — a log file, a chat transcript, a phishing email, a paste from a leak — and extracts every indicator-of-compromise it can recognise, classified by type.
It is the cheapest way to turn a wall of text into a structured list you can actually act on.
What gets extracted
| IOC type | Pattern |
|---|---|
| IPv4 address | Standard dotted-quad |
| IPv6 address | All standard formats including compressed |
| Domain | RFC-shaped domain names with sensible TLD whitelist |
| URL | Full URL with scheme |
| Email address | RFC-shaped email |
| MD5 / SHA-1 / SHA-256 / SHA-512 hashes | Recognised by length + hex format |
| JWT token | eyJ... three-part dot-separated base64 strings |
| AWS access key | AKIA... patterns |
| AWS secret key | High-entropy 40-char strings near AWS-key context |
| GCP API key | AIza... patterns |
| Slack token | xoxb-..., xoxp-..., xoxa-... |
| GitHub token | ghp_..., gho_..., ghs_... |
| MAC address | Multiple separators (colon, dash, dot) |
| Bitcoin address | Base58Check-validated (mainnet) |
| Ethereum address | Hex-validated |
| Credit-card PAN | Luhn-checked numbers (with major scheme detection) |
| CVE ID | CVE-YYYY-NNNN format |
Categories are extensible — the extractor uses a regex catalog you can extend.
Defang preview
For each extracted IP / URL / domain, the tool shows a one-click "copy as defanged" affordance:
1.2.3.4→1[.]2[.]3[.]4http://example.com→hxxp://example[.]comevil@example.com→evil[at]example[.]com
Defanging is essential for sharing IOCs in chat, email, and reports without anyone accidentally clicking them. See the defang utility for the full set of defang formats.
Auto-enrich chips
For each extracted IP, domain, URL, email, or hash, the result row shows an enrich chip. Clicking the chip opens the pivot menu — every other tool that takes that value type as input. One click sends the IOC into the next tool with the input pre-filled.
This is the central workflow for SOC triage: paste log → extract IOCs → enrich each via pivot → pin findings to a profile.
Bitcoin / Ethereum address validation
Cryptocurrency addresses are checksummed. The extractor:
- Validates Bitcoin addresses via Base58Check.
- Validates Ethereum addresses via the EIP-55 mixed-case checksum (when applicable).
This rules out most false positives — random text matching the address pattern but failing the checksum.
Credit-card PAN detection
The extractor matches Luhn-valid sequences and surfaces the major-scheme prefix (Visa, Mastercard, Amex, Discover). Useful for:
- Leak triage — "did this paste contain card numbers?".
- Compliance scanning — "are there PANs in our log files we should not be storing?".
The tool reports counts. It deliberately does not export the full PAN strings to clipboard or report — handle these IOCs with appropriate care.
Credit-card PAN detection is for finding the leaks, not for harvesting card numbers. Treat extracted PANs as you would any sensitive PII — minimise handling, follow your organisation's incident-response playbook.
JWT inline decode
When a JWT is extracted, a one-click "decode" affordance opens the JWT decoder with the token pre-filled. Useful for log lines that include API tokens you want to inspect.
Per-category counts
The result panel shows a per-category count summary at the top:
24 IPs · 12 domains · 8 URLs · 5 emails · 3 hashes (2 SHA-256, 1 MD5) · 1 JWT · 0 AWS keys
Quick scan tells you whether the input contains the IOC types you care about.
Bulk extraction
Bulk paste handles arbitrarily large inputs. The aggregate result is the same per-category breakdown applied to the entire input.
For very large logs (gigabyte-class), the extractor streams the input rather than loading it all into memory.
Pivots
Every extracted IOC is pivotable. The pivot menu shows the relevant tools for each type — see Cross-tool pivots for the full pivot graph.
Sources
- Bundled regex catalog. No external sources.
- The tool runs fully offline.