Analysing Email Files

As an Incident Responder it's pretty common to analyse emails, however finding the right tools, to safely pull apart an email, aren't always easy to find.


To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a text editor, which is where we want to end up. Using a simple text/ASCII viewer has far fewer risks of executing anything malicious, which is why we want to avoid using Microsoft Outlook to open our suspicious email.


Historical, Microsoft Outlook has had vulnerabilities that allow for exploitation of a system from simply viewing an email in Microsoft Outlook. It's because of this risk, malicious code being executed, that the Incident Responders want to avoid using Outlook as a forensic analysis tool.


For this example, I'm going to assume you have a running Ubuntu virtual machine.


Converting .MSG File to ASCII.


Once inside your Ubuntu virtual machine pop open a terminal prompt and install the Lib Email package that allows us to convert a .MSG file into an .EML file by typing the following commands.



Once we've executed this command we'll get a duplicate version of our .MSG file, with the same name, except in an .EML file format.


Analysing .EML File


Finally, we're at the point of viewing our malicious email message in an ASCII/text viewer, to start off let's open the converted .EML file in your prefered ASCII/text viewer. For this example I'm going to use vim, however, any command line or GUI based text viewer will do.


There are several website on the internet that make this reading of .EML files more user-friendly.


Looking at our .EML file you'll notice that it's broken up into a few different sections:

- Header;

- Body;

- Attachment(s).



This is just the first step to analyzing an email. In a future post, we'll go into more detail about this.


52 views0 comments

Recent Posts

See All

Here I will show you a command that will help you to transfer files faster between computers, it's very useful when you need to transfer a large amount of files. You can do it to transfer to others ha

Malicious executables often attempt to hide their behavior and evade detection. By doing so, they present anomalies and suspicious patterns. Pestudio is a free tool that allows you to perform an initi

Do you want to build by yourself a LAN server right on your Windows computer? Here you have some steps to do it works. #1) Go to openspeedtest.com; #2) Click on DOWNLOAD link; #3) Download and install