top of page
Writer's pictureDiniz Martins

Analysing Email Files

As an Incident Responder it's pretty common to analyse emails, however finding the right tools, to safely pull apart an email, aren't always easy to find.


To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a text editor, which is where we want to end up. Using a simple text/ASCII viewer has far fewer risks of executing anything malicious, which is why we want to avoid using Microsoft Outlook to open our suspicious email.


Historical, Microsoft Outlook has had vulnerabilities that allow for exploitation of a system from simply viewing an email in Microsoft Outlook. It's because of this risk, malicious code being executed, that the Incident Responders want to avoid using Outlook as a forensic analysis tool.


For this example, I'm going to assume you have a running Ubuntu virtual machine.


Converting .MSG File to ASCII.


Once inside your Ubuntu virtual machine pop open a terminal prompt and install the Lib Email package that allows us to convert a .MSG file into an .EML file by typing the following commands.



Once we've executed this command we'll get a duplicate version of our .MSG file, with the same name, except in an .EML file format.


Analysing .EML File


Finally, we're at the point of viewing our malicious email message in an ASCII/text viewer, to start off let's open the converted .EML file in your prefered ASCII/text viewer. For this example I'm going to use vim, however, any command line or GUI based text viewer will do.


There are several website on the internet that make this reading of .EML files more user-friendly.


Looking at our .EML file you'll notice that it's broken up into a few different sections:

- Header;

- Body;

- Attachment(s).



This is just the first step to analyzing an email. In a future post, we'll go into more detail about this.


69 views0 comments

Recent Posts

See All

IPSec vs. TLS

When it comes to securing data over networks, IPSec (Internet Protocol Security) and TLS (Transport Layer Security) are two of the most...

VyOS Basic Configuration

VyOS is an open-source network operating system that provides software-based network routing, firewall, and VPN services. It is designed...

Comentarios


bottom of page