Digital Forensics Tool: Elyzer

Elyzer

Elyzer by B0lg0r0v, is an e-mail header analyzer capable of detecting potential spoofing attempts. It will give you general information about the e-mail, the route it took, important security headers and the phishing / spoofing results.

General Information

• Before using this tool, make sure the e-mail header is formated correctly. This tool will parse the header according to RFC 822.
• This tool can ONLY utilize the spoofing / phishing function if the header contains the sender’s SMTP Server IPv4 address. IPv6 addresses are currently not supported.
• Microsoft e-mail services are using IPv6 addresses, which on top of that are proxys. Finding the source address is very difficult if not simply impossible.
• DO NOT RELY ONLY ON THIS TOOL. Elyzer cannot guarantee you 100% accuracy.

Installation

For Unix users:

git clone https://github.com/B0lg0r0v/Elyzer.git

cd Elyzer

pip3 install -r requirements.txt

For Windows users:

Get the compiled version from the release section. The usage is the same as for Unix users.

Usage

Using Elyzer is quite intuitive. Give with the -f argument the header file.

Unix:

python3 elyzer.py -f

Windows:

.\Elyzer.exe -f

Additionally you can give a file with the -a argument to Elyzer. It will then generate you a VirusTotal Link where you can see if the file is potentially malicious or not.

python3 elyzer.py -f -a

Features

Here’s a quick overview of Elyzer’s features:

• Print general e-mail informations
• Print relay routing with timestamps
• Print security headers and check if set correctly
• Print interesting headers such as “Envelope-From”
• Print MS-Exchange Headers
• Spoofing / Phishing analyzer

Clone the repo from here: GitHub Link