Analysing Email Files
As an Incident Responder it's pretty common to analyse emails, however finding the right tools, to safely pull apart an email, aren't always easy to find.
To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a text editor, which is where we want to end up. Using a simple text/ASCII viewer has far fewer risks of executing anything malicious, which is why we want to avoid using Microsoft Outlook to open our suspicious email.
Historical, Microsoft Outlook has had vulnerabilities that allow for exploitation of a system from simply viewing an email in Microsoft Outlook. It's because of this risk, malicious code being executed, that the Incident Responders want to avoid using Outlook as a forensic analysis tool.
For this example, I'm going to assume you have a running Ubuntu virtual machine.
Converting .MSG File to ASCII.
Once inside your Ubuntu virtual machine pop open a terminal prompt and install the Lib Email package that allows us to convert a .MSG file into an .EML file by typing the following commands.
Once we've executed this command we'll get a duplicate version of our .MSG file, with the same name, except in an .EML file format.
Analysing .EML File
Finally, we're at the point of viewing our malicious email message in an ASCII/text viewer, to start off let's open the converted .EML file in your prefered ASCII/text viewer. For this example I'm going to use vim, however, any command line or GUI based text viewer will do.
There are several website on the internet that make this reading of .EML files more user-friendly.
Looking at our .EML file you'll notice that it's broken up into a few different sections:
This is just the first step to analyzing an email. In a future post, we'll go into more detail about this.