59 lines
2.1 KiB
Markdown
59 lines
2.1 KiB
Markdown
|
Thought I’d share a neat little script-combo if you do your
|
|||
|
|
email analysis on Linux systems, or do automation. For the
|
|||
|
|
task you’ll need msgconvert.pl [1] and ripmime [2].
|
|||
|
|
|
|||
|
|
MSG files are used by Microsoft Outlook, and is the natural
|
|||
|
|
fit in regard to malicious messages in organizations running
|
|||
|
|
Microsoft products. For reference you can find the
|
|||
|
|
specification for the Outlook Item File Format here.
|
|||
|
|
|
|||
|
|
In this part you will require a file from Outlook, which you
|
|||
|
|
can acquire by selecting a message and drag it to the
|
|||
|
|
desktop or a new message. If you don’t do Outlook, you can
|
|||
|
|
just google for one [3].
|
|||
|
|
|
|||
|
|
msgconvert.pl <message>.msg
|
|||
|
|
ripmime -i <message>.mime
|
|||
|
|
|
|||
|
|
The above will first convert the MSG file to a mime
|
|||
|
|
file. The latter command will make sure to extract the
|
|||
|
|
objects in it, such as binary files or documents. The text
|
|||
|
|
files contains the content of the email and will be
|
|||
|
|
something like: textfile0
|
|||
|
|
|
|||
|
|
If you need the headers you will find them at the top of the
|
|||
|
|
mime-file.
|
|||
|
|
|
|||
|
|
Now to EML-files, which you will also often find when
|
|||
|
|
exporting email messages. EML is really just short for
|
|||
|
|
“E-mail”. In OS X Mail, Outlook Express, Thunderbird (and
|
|||
|
|
others) you are typically presented with EML/MIME-formatted
|
|||
|
|
documents, and it’s just a document which complies with RFC
|
|||
|
|
822 [4]. EML-files are more easy to work on since you can
|
|||
|
|
open it in a text editor and read the essential information
|
|||
|
|
plain straight away.
|
|||
|
|
|
|||
|
|
So what does that mean in regard to ripmime? It really just
|
|||
|
|
means that instead of calling the output from msgconvert.pl
|
|||
|
|
<message>.mime, you can name the file <message>.eml. In
|
|||
|
|
commands:
|
|||
|
|
|
|||
|
|
ripmime -i <message>.eml
|
|||
|
|
|
|||
|
|
The above will output your mime parts.
|
|||
|
|
|
|||
|
|
## OS X Specifics
|
|||
|
|
|
|||
|
|
You may want to do the above on an OS X system as well. For
|
|||
|
|
this you can install ripmime via Homebrew [5].
|
|||
|
|
|
|||
|
|
If you are exporting an eml from Apple Mail you may do so
|
|||
|
|
the same way as in Outlook: Just drag it where you want it.
|
|||
|
|
|
|||
|
|
|
|||
|
|
[1] https://www.matijs.net/software/msgconv/
|
|||
|
|
[2] https://www.pldaniels.com/ripmime/
|
|||
|
|
[3] https://www.google.com/search?q=filetype:msg&oq=filetype:msg#q=filetype:msg+outlook
|
|||
|
|
[4] https://tools.ietf.org/html/rfc822
|
|||
|
|
[5] https://brew.sh/index_nb
|