Digital Forensics Tool: Email Analyzer
Reading Time: 2 Minutes
EmailAnalyzer
Email Analyzer by keraattin is a tool that allows you to analyze suspicious emails. You can extract headers, links, and hashes from the .eml file and more. Tracing back an email, or investigating after or before an attack is crucial. Studying Headers, IPs, X-Originating, and even investigating through websites like VirusTotal, extracting links and attachments to check where they lead and how they are hosted is crucial when performing such tasks and this tool can help you achieve it directly from your terminal in Linux with ease when performing Digital Forensics investigation.
See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course
Usage
usage: email-analyzer.py [-h] -f FILENAME [-H] [-d] [-l] [-a]
options:
-h, –help show this help message and exit
-f FILENAME, –filename FILENAME
Name of file
-H, –headers Headers of the eml file
-d, –digests Digests of the eml file
-l, –links Links from the eml file
-a, –attachments Attachments from the eml file
To get Headers
python3 email-analyzer.py -f <eml file> --headers
Headers
Received:
from TEST.TEST.PROD.OUTLOOK.COM (2603:10a6:20b:4f2::13)
by TEST.TEST.PROD.OUTLOOK.COM with HTTPS; Fri, 25 Nov 2022
12:36:39 +0000
Content-Type:
multipart/alternative; boundary=335b23d5689bd75ab002f9c46a6e8023c265d60dd923308dcc7eb7a2cf25
Date:
Fri, 25 Nov 2022 12:36:36 +0000 (UTC)
Subject:
How to use EmailAnalyzer
Reply-To:
[email protected]
X-Sender-IP:
127.0.0.1
Investigation
[X-Sender-IP]
[Virustotal]
https://www.virustotal.com/gui/search/127.0.0.1
[Abuseipdb]
https://www.abuseipdb.com/check/127.0.0.1
Trending: Offensive Security Tool: Pycrypt
Trending: Offensive Security Tool: Villain
To get Hash of eml file & content
python3 email-analyzer.py -f <eml file> --digests
Digests
File MD5:
81dc9bdb52d04dc20036dbd8313ed055
File SHA1:
7110eda4d09e062aa5e4a390b0a572ac0d2c0220
File SHA256:
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
Content MD5:
827ccb0eea8a706c4c34a16891f84e7b
Content SHA1:
8cb2237d0679ca88db6464eac60da96345513964
Content SHA256:
5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
Investigation
[File MD5]
[Virustotal]
https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[File SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[File SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
[Content MD5]
[Virustotal]
https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[Content SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[Content SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
See Also: Write-up: Exploiting LFI Vulnerabilities
To get Links from eml file
python3 email-analyzer.py -f <eml file> --links
Links
[1]->https://example.com
[2]->https://testlinks.com/campaing/123124
Investigation
[1]
[VirusTotal]:
https://www.virustotal.com/gui/search/example.com
[UrlScan]:
https://urlscan.io/search/#example.com
[2]
[VirusTotal]:
https://www.virustotal.com/gui/search/testlinks.com/campaing/123124
[UrlScan]:
https://urlscan.io/search/#testlinks.com/campaing/123124
To get Attachments from eml file
python3 email-analyzer.py -f <eml file> --attachments
Attachments
[1]example.pdf
[2]malicious.pdf
Investigation
[1]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[sha1]->https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[sha256]->https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
[2]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[sha1]->https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[sha256]->https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
Clone the repo from here: GitHub Link