top of page

Analysing Email Files

As an Incident Responder it's pretty common to analyse emails, however finding the right tools, to safely pull apart an email, aren't always easy to find.

To start with, a native Outlook email message is in an .MSG file format. This format, unfortunately, can't be opened and viewed easily with a text editor, which is where we want to end up. Using a simple text/ASCII viewer has far fewer risks of executing anything malicious, which is why we want to avoid using Microsoft Outlook to open our suspicious email.

Historical, Microsoft Outlook has had vulnerabilities that allow for exploitation of a system from simply viewing an email in Microsoft Outlook. It's because of this risk, malicious code being executed, that the Incident Responders want to avoid using Outlook as a forensic analysis tool.

For this example, I'm going to assume you have a running Ubuntu virtual machine.

Converting .MSG File to ASCII.

Once inside your Ubuntu virtual machine pop open a terminal prompt and install the Lib Email package that allows us to convert a .MSG file into an .EML file by typing the following commands.

Once we've executed this command we'll get a duplicate version of our .MSG file, with the same name, except in an .EML file format.

Analysing .EML File

Finally, we're at the point of viewing our malicious email message in an ASCII/text viewer, to start off let's open the converted .EML file in your prefered ASCII/text viewer. For this example I'm going to use vim, however, any command line or GUI based text viewer will do.

There are several website on the internet that make this reading of .EML files more user-friendly.

Looking at our .EML file you'll notice that it's broken up into a few different sections:

- Header;

- Body;

- Attachment(s).

This is just the first step to analyzing an email. In a future post, we'll go into more detail about this.

54 views0 comments

Recent Posts

See All

Universal Serial Bus flash drives, commonly known as USB flash drives are the most common storage devices which can be found as evidence in Digital Forensics Investigations. Digital forensic investiga

These days I brought some IP cameras home and unfortunately I don't have an NVR to manage. Searching the internet I found c-mor & ZeroMinder's solution - very cool and I would like to share it with yo

These days I was looking for more details about load balancers and found some great tools I need to share with all of you - it´s a free load balancer!! Go to

bottom of page