Mail Header Analysis

1. Introduction

Your employer received a blackmail and gave it to you for a forensic analysis.

You now have to analyse the SMTP header and the metadata of the attachment.

• Download the blackmail.txt file from here:

18KB

blackmail.txt

• You first have to analyse the SMTP header. Write down everything you think may be of interest.

• Your second job is to analyze the metadata of the attachment. What kind of information is there to be found?

2. Tasks

• Who is the receiver and who is the sender?

• Which mail servers were involved in the delivery of this email?

• Which data has possibly been faked in the SMTP header?

• How did you extract the attachment?

• Where is the metadata of the attachment located at?

• Who created and modified the file?

• When was the file created and modified?

• Was the file printed and if so when has it been printed?

• Can you trust the metadata?

• What is the content of the file and where is it located?

3. Manual Header Analysis

To find the sender and receiver we are going to check the To: and From: header fields:

Every mail server involved in the delivery adds a Received entry to the SMTP header.

The sender and receiver may have been faked. It is also possible to fake parts of the Received: headers

4. Online Header Analysis

We can also use an online tool for the header analysis:

Messageheader

5. Decode Attachement

For the attachement we have a base64 encoding!

I put the base64 content in a file called attachment.base64

from there I write out a zip file and a docx file for the further analysis

base64 -d attachment.base64 > attachment.zip

base64 -d attachment.base64 > suspiscious.docx

The docx file have the following content:

6. Analyse metadata

unzip attachment.zip

Now we can see a bunch of xml files!

The metadata we are interested in is located in docProps/core.xml

Christine Meier created and modified the file. This information is to be found in docProps/core.xml. The XML tags containing this information are <cp:lastModifiedBy>, <cp:lastModifiedBy>, <dcterms:created xsi:type="dcterms:W3CDTF"> and <dcterms:modified xsi:type="dcterms:W3CDTF">.

There is another entry in the docProps/core.xml that shows you that this file has been printed. The XML tag we are looking for is <cp:lastPrinted>.

Note:

It is possible to modify the xml files contained in a docx file, so the metadata can't always be trusted.