Digital Forensics Tool: Email Analyzer

by | Dec 16, 2022 | Tools

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 2 Minutes

EmailAnalyzer

Email Analyzer by keraattin is a tool that allows you to analyze suspicious emails. You can extract headers, links, and hashes from the .eml file and more. Tracing back an email, or investigating after or before an attack is crucial. Studying Headers, IPs, X-Originating, and even investigating through websites like VirusTotal, extracting links and attachments to check where they lead and how they are hosted is crucial when performing such tasks and this tool can help you achieve it directly from your terminal in Linux with ease when performing Digital Forensics investigation.

See Also: So you want to be a hacker?
Complete Offensive Security and Ethical Hacking Course

Usage

usage: email-analyzer.py [-h] -f FILENAME [-H] [-d] [-l] [-a]

options:
-h,    –help                   show this help message and exit
-f FILENAME, –filename FILENAME
Name of file
-H,   –headers            Headers of the eml file
-d,   –digests              Digests of the eml file
-l,    –links                   Links from the eml file
-a,   –attachments    Attachments from the eml file

 

To get Headers

python3 email-analyzer.py -f <eml file> --headers

 

Headers

Received:
from TEST.TEST.PROD.OUTLOOK.COM (2603:10a6:20b:4f2::13)
 by TEST.TEST.PROD.OUTLOOK.COM with HTTPS; Fri, 25 Nov 2022
 12:36:39 +0000
Content-Type:
multipart/alternative; boundary=335b23d5689bd75ab002f9c46a6e8023c265d60dd923308dcc7eb7a2cf25
Date:
Fri, 25 Nov 2022 12:36:36 +0000 (UTC)
Subject:
How to use EmailAnalyzer
Reply-To:
[email protected]
X-Sender-IP:
127.0.0.1

 

Investigation

[X-Sender-IP]
[Virustotal]
https://www.virustotal.com/gui/search/127.0.0.1
[Abuseipdb]
https://www.abuseipdb.com/check/127.0.0.1

 

To get Hash of eml file & content

python3 email-analyzer.py -f <eml file> --digests

 

Digests

File MD5:
81dc9bdb52d04dc20036dbd8313ed055
File SHA1:
7110eda4d09e062aa5e4a390b0a572ac0d2c0220
File SHA256:
03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
Content MD5:
827ccb0eea8a706c4c34a16891f84e7b
Content SHA1:
8cb2237d0679ca88db6464eac60da96345513964
Content SHA256:
5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5

 

Investigation

[File MD5]
[Virustotal]
https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[File SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[File SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
[Content MD5]
[Virustotal]
https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[Content SHA1]
[Virustotal]
https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[Content SHA256]
[Virustotal]
https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5

To get Links from eml file

python3 email-analyzer.py -f <eml file> --links

 

Links 

[1]->https://example.com
[2]->https://testlinks.com/campaing/123124

Investigation

[1]
[VirusTotal]:
https://www.virustotal.com/gui/search/example.com
[UrlScan]:
https://urlscan.io/search/#example.com
[2]
[VirusTotal]:
https://www.virustotal.com/gui/search/testlinks.com/campaing/123124
[UrlScan]:
https://urlscan.io/search/#testlinks.com/campaing/123124
 

 

To get Attachments from eml file

python3 email-analyzer.py -f <eml file> --attachments

 

Attachments

[1]example.pdf
[2]malicious.pdf

Investigation

[1]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/81dc9bdb52d04dc20036dbd8313ed055
[sha1]->https://www.virustotal.com/gui/search/7110eda4d09e062aa5e4a390b0a572ac0d2c0220
[sha256]->https://www.virustotal.com/gui/search/03ac674216f3e15c761ee1a5e255f067953623c8b388b4459e13f978d7c846f4
[2]
[Virustotal]
[md5]->https://www.virustotal.com/gui/search/827ccb0eea8a706c4c34a16891f84e7b
[sha1]->https://www.virustotal.com/gui/search/8cb2237d0679ca88db6464eac60da96345513964
[sha256]->https://www.virustotal.com/gui/search/5994471abb01112afcc18159f6cc74b4f511b99806da59b3caf5a9c173cacfc5
 

Clone the repo from here: GitHub Link

Merch

Recent Tools

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!


Information Security Solutions

Find out how Pentesting Services can help you.


Join our Community

Share This