E-mail Analysis
A Brief introduction to E-mails in Digital Forensics
Note, the following blog was used to learn this.
https://blog.joshlemon.com.au/analysing-malicious-email- files/?utm_
source=computerforensics&utm_medium=reddit. This post is simply a rewrite.
I recommend viewing the original as well as this one.
https://blog.joshlemon.com.au/analysing-malicious-email- files/?utm_
source=computerforensics&utm_medium=reddit. This post is simply a rewrite.
I recommend viewing the original as well as this one.
Why?
E-mails can contain all sorts of information- vital evidence such as malicious files or communications
are amongst just some of the things we look for.
are amongst just some of the things we look for.
Can’t we just view it in Outlook?
In forensics, we would rather not analyse evidence in its native environment, unless there is
good reason. Viewing an e-mail in outlook, it is easy to accidentally change evidence. Also, we could
trigger malicious scripts!
good reason. Viewing an e-mail in outlook, it is easy to accidentally change evidence. Also, we could
trigger malicious scripts!
So what do we do?
Thankfully, we can use the SANS SIFT workstation (a valuable open-source forensic workstation).
First, save the message as .MSG in the Outlook Desktop application.
Now, lets head over to our Virtual Machine:
The password is forensics
Following the blog, we Type in:
$ sudo apt install libemail-outlook-message-perl libemail-sender-perl
So, with super user permissions, we are installing the package libemail
If it doesn’t work, remember to delete the $ that is before Sudo.
I changed the name of my file to email.msg, as it is easier to type. I then converted it eml using.
$ msgconvert email.msg
Using the following command, I checked that I could view it
$ ls
Using the vim command, I could view more information:
Note who Ray Ban Sunglasses actually is…
Below, we see:
from VE1EUR02FT062.eop-EUR02.prod.protection.outlook.com
(10.152.12.54) by VE1EUR02HT096.eop-EUR02.prod.protection.outlook.com
(10.152.13.174) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.20.1207.19; Sat, 6
Oct 2018 16:58:47 +0000
Highlighted is an address, and time stamp information, in this case it is UTC already but -1000 would
indicated 1 hour behind UTC.
indicated 1 hour behind UTC.
Scrolling further down, we can see the body, which is where we may find the most interesting
evidence.
evidence.
Here, it’s quite clear that the email wants you to go to www.sunglassessaleplat.store
Which although coming up as clean on virus total, still seems suspicious.
This is especially so where images should be viewed in a “brower”.
Attachments
Scrolling further, we can see attachments which are again, interesting.
This email has an RTF attachment.
This is shown in the body:
Thankfully, base 64 is easy to decrypt.
So, highlighting from the top, where it says e1xy… to the bottom, which ends with
aHRtbD59Cg17XCpcaHRtbHRhZzMgXHBhciB9fQ==
We then paste that into an RTF document.
To do this, I used the commands:
Touch attachment1-RTF
This creates the file attachment1-RTF, as the touch command is used to create files.
Sudo Nano attachment1-RTF
This allows me to then paste in the base 64 text as nano is the in terminal text editor.
base64 -d -i attachment-1-RTF > attachment-1.RTF
using -d -I allows for decryption, which ignores invalid characters
This allows me to then decrypt this and have the decryption in attachment-1.RTF which looked as
such when opened:
such when opened:
Basically, the view the user would see
Note; Josh used a malicious e-mail and was able to extract a malicious document.
Further note: ALWAYS DO THIS ON AN ISOLATED MACHINE
This avoids contamination of your machine.
Comments
Post a Comment