Mail Header Analysis

1. Introduction

Your employer received a blackmail and gave it to you for a forensic analysis.

You now have to analyse the SMTP header and the metadata of the attachment.

Download the blackmail.txt file from here:

You first have to analyse the SMTP header. Write down everything you think may be of interest.
Your second job is to analyze the metadata of the attachment. What kind of information is there to be found?

2. Tasks

Who is the receiver and who is the sender?
Which mail servers were involved in the delivery of this email?
Which data has possibly been faked in the SMTP header?
How did you extract the attachment?
Where is the metadata of the attachment located at?
Who created and modified the file?
When was the file created and modified?
Was the file printed and if so when has it been printed?
Can you trust the metadata?
What is the content of the file and where is it located?

3. Manual Header Analysis

To find the sender and receiver we are going to check the To: and From: header fields:

Every mail server involved in the delivery adds a Received entry to the SMTP header.

The sender and receiver may have been faked. It is also possible to fake parts of the Received: headers

4. Online Header Analysis

We can also use an online tool for the header analysis:

5. Decode Attachement

For the attachement we have a base64 encoding!

I put the base64 content in a file called attachment.base64

from there I write out a zip file and a docx file for the further analysis

base64 -d attachment.base64 > attachment.zip

base64 -d attachment.base64 > suspiscious.docx

The docx file have the following content:

6. Analyse metadata

unzip attachment.zip

Now we can see a bunch of xml files!

The metadata we are interested in is located in docProps/core.xml

Christine Meier created and modified the file. This information is to be found in docProps/core.xml. The XML tags containing this information are <cp:lastModifiedBy>, <cp:lastModifiedBy>, <dcterms:created xsi:type="dcterms:W3CDTF"> and <dcterms:modified xsi:type="dcterms:W3CDTF">.

There is another entry in the docProps/core.xml that shows you that this file has been printed. The XML tag we are looking for is <cp:lastPrinted>.

Note:

It is possible to modify the xml files contained in a docx file, so the metadata can't always be trusted.

PreviousBrowser Forensics NextTimestomping Exercise

Last updated 2 years ago