# Mail Header Analysis ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fop4uKZAPv1eJrLZsefeM%2FEmail-header.jpg?alt=media\&token=49b35946-a84a-47ac-a0e5-2f64f24e7505) ### 1. Introduction Your employer received a blackmail and gave it to you for a forensic analysis. You now have to analyse the SMTP header and the metadata of the attachment. * Download the blackmail.txt file from here: {% file src="" %} * You first have to analyse the SMTP header. Write down everything you think may be of interest. * Your second job is to analyze the **metadata of the attachment**. What kind of information is there to be found? ### 2. Tasks * Who is the receiver and who is the sender? * Which mail servers were involved in the delivery of this email? * Which data has possibly been faked in the SMTP header? * How did you extract the attachment? * Where is the metadata of the attachment located at? * Who created and modified the file? * When was the file created and modified? * Was the file printed and if so when has it been printed? * Can you trust the metadata? * What is the content of the file and where is it located? ### 3. Manual Header Analysis To find the sender and receiver we are going to check the `To:` and `From:` header fields: ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FPuIt28Qj9OxrK8dECLju%2Fmailheader01.png?alt=media\&token=e50e0513-612f-425b-8cfe-2db748009175) Every mail server involved in the delivery adds a `Received` entry to the SMTP header. ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2FLieEw4vaUtDipKsSI6Jf%2Fmailheader02.png?alt=media\&token=70d1a689-19d4-4b4b-869c-78893ee9990e) The `sender` and `receiver` may have been faked. It is also possible to fake parts of the `Received:` headers ### 4. Online Header Analysis We can also use an online tool for the header analysis: {% embed url="" %}

### 5. Decode Attachement For the attachement we have a base64 encoding! ![](https://3977837039-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MfT0VPyK6X13Egd9pzy%2Fuploads%2Fz4q6J0drEIOjHC3dOOju%2Fattachement01.png?alt=media\&token=47032e0e-9774-415b-868c-2fb32d426582) I put the base64 content in a file called `attachment.base64` from there I write out a zip file and a docx file for the further analysis ``` base64 -d attachment.base64 > attachment.zip ``` ``` base64 -d attachment.base64 > suspiscious.docx ```

The docx file have the following content:

### 6. Analyse metadata `unzip attachment.zip` Now we can see a bunch of xml files!

The metadata we are interested in is located in `docProps/core.xml` Christine Meier created and modified the file. This information is to be found in `docProps/core.xml`. The XML tags containing this information are ``, ``, `` and ``.

There is another entry in the `docProps/core.xml` that shows you that this file has been printed. The `XML tag` we are looking for is ``. Note: It is possible to modify the xml files contained in a docx file, so the metadata can't always be trusted.