Digital Forensics Tool: Email Analyzer

Reading Time: 2 Minutes

EmailAnalyzer

Email Analyzer by keraattin is a tool that allows you to analyze suspicious emails. You can extract headers, links, and hashes from the .eml file and more. Tracing back an email, or investigating after or before an attack is crucial. Studying Headers, IPs, X-Originating, and even investigating through websites like VirusTotal, extracting links and attachments to check where they lead and how they are hosted is crucial when performing such tasks and this tool can help you achieve it directly from your terminal in Linux with ease when performing Digital Forensics investigation.

Usage

usage: email-analyzer.py [-h] -f FILENAME [-H] [-d] [-l] [-a]

options:
-h,    –help                   show this help message and exit
-f FILENAME, –filename FILENAME
Name of file
-H,   –headers            Headers of the eml file
-d,   –digests              Digests of the eml file
-l,    –links                   Links from the eml file
-a,   –attachments    Attachments from the eml file

To get Headers

python3 email-analyzer.py -f <eml file> --headers

Headers

Received:
from TEST.TEST.PROD.OUTLOOK.COM (2603:10a6:20b:4f2::13)
 by TEST.TEST.PROD.OUTLOOK.COM with HTTPS; Fri, 25 Nov 2022
 12:36:39 +0000

Content-Type:
multipart/alternative; boundary=335b23d5689bd75ab002f9c46a6e8023c265d60dd923308dcc7eb7a2cf25

Date:
Fri, 25 Nov 2022 12:36:36 +0000 (UTC)

Subject:
How to use EmailAnalyzer

Reply-To:
[email protected]

X-Sender-IP:
127.0.0.1

Investigation

[X-Sender-IP]
[Virustotal]
https://www.virustotal.com/gui/search/127.0.0.1
[Abuseipdb]
https://www.abuseipdb.com/check/127.0.0.1

To get Hash of eml file & content

python3 email-analyzer.py -f <eml file> --digests

Digests

File MD5:
81dc9bdb52d04dc20036dbd8313ed055

File SHA1:
7110eda4d09e062aa5e4a390b0a572ac0d2c0220

File SHA256:
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4

Content MD5:
827ccb0eea8a706c4c34a16891f84e7b

Content SHA1:
8cb2237d0679ca88db6464eac60da96345513964

Content SHA256:
5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5

Investigation

[File MD5]
[Virustotal]
https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055

[File SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220

[File SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4

[Content MD5]
[Virustotal]
https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b

[Content SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964

[Content SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5

To get Links from eml file

python3 email-analyzer.py -f <eml file> --links

Links 

[1]->https://example.com
[2]->https://testlinks.com/campaing/123124

Investigation

[1]
[VirusTotal]:
https://www.virustotal.com/gui/search/example.com
[UrlScan]:
https://urlscan.io/search/#example.com

[2]
[VirusTotal]:
https://www.virustotal.com/gui/search/testlinks.com/campaing/123124
[UrlScan]:
https://urlscan.io/search/#testlinks.com/campaing/123124

To get Attachments from eml file

python3 email-analyzer.py -f <eml file> --attachments

Attachments

[1]example.pdf
[2]malicious.pdf

Investigation

[1]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[sha1]->https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[sha256]->https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4

[2]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[sha1]->https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[sha256]->https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5

Clone the repo from here: GitHub Link