top of page

Analysing Email Files

As an Incident Responder it's pretty common to analyse emails, however finding the right tools, to safely pull apart an email, aren't always easy to find.

To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a text editor, which is where we want to end up. Using a simple text/ASCII viewer has far fewer risks of executing anything malicious, which is why we want to avoid using Microsoft Outlook to open our suspicious email.

Historical, Microsoft Outlook has had vulnerabilities that allow for exploitation of a system from simply viewing an email in Microsoft Outlook. It's because of this risk, malicious code being executed, that the Incident Responders want to avoid using Outlook as a forensic analysis tool.

For this example, I'm going to assume you have a running Ubuntu virtual machine.

Converting .MSG File to ASCII.

Once inside your Ubuntu virtual machine pop open a terminal prompt and install the Lib Email package that allows us to convert a .MSG file into an .EML file by typing the following commands.

Once we've executed this command we'll get a duplicate version of our .MSG file, with the same name, except in an .EML file format.

Analysing .EML File

Finally, we're at the point of viewing our malicious email message in an ASCII/text viewer, to start off let's open the converted .EML file in your prefered ASCII/text viewer. For this example I'm going to use vim, however, any command line or GUI based text viewer will do.

There are several website on the internet that make this reading of .EML files more user-friendly.

Looking at our .EML file you'll notice that it's broken up into a few different sections:

- Header;

- Body;

- Attachment(s).

This is just the first step to analyzing an email. In a future post, we'll go into more detail about this.

66 views0 comments

Recent Posts

See All

MacOS | Recording a Packet Trace

A packet trace is a record of traffic traveling across the network. It’s useful for investigating complex network problems related to both correctness and performance. Once you start a packet trace on

DNS Guard

Absolutely everything is connected to the internet these days, from TV to smart light bulbs, from mobile devices to smart cars. Given those ads and ad trackers are everywhere on the Internet, a browse

Cyber Security Interview, Q&A

Can you explain the difference between symmetric and asymmetric encryption? When would you use one over the other? Answer: Symmetric encryption uses a single key to both encrypt and decrypt data, whil


bottom of page