tommy/thoughts
tommy/thoughts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
thoughts/data/msg-eml.md
Tommy Skaug 805a34f937
All checks were successful
Export / Explore-GitHub-Actions (push) Successful in 2m19s
Details
initial migration
2024-08-05 20:24:56 +02:00

2.1 KiB
Raw Blame History

Thought Id share a neat little script-combo if you do your email analysis on Linux systems, or do automation. For the task youll need msgconvert.pl [1] and ripmime [2].

MSG files are used by Microsoft Outlook, and is the natural fit in regard to malicious messages in organizations running Microsoft products. For reference you can find the specification for the Outlook Item File Format here.

In this part you will require a file from Outlook, which you can acquire by selecting a message and drag it to the desktop or a new message. If you dont do Outlook, you can just google for one [3].

msgconvert.pl <message>.msg
ripmime -i <message>.mime

The above will first convert the MSG file to a mime file. The latter command will make sure to extract the objects in it, such as binary files or documents. The text files contains the content of the email and will be something like: textfile0

If you need the headers you will find them at the top of the mime-file.

Now to EML-files, which you will also often find when exporting email messages. EML is really just short for “E-mail”. In OS X Mail, Outlook Express, Thunderbird (and others) you are typically presented with EML/MIME-formatted documents, and its just a document which complies with RFC 822 [4]. EML-files are more easy to work on since you can open it in a text editor and read the essential information plain straight away.

So what does that mean in regard to ripmime? It really just means that instead of calling the output from msgconvert.pl .mime, you can name the file .eml. In commands:

ripmime -i <message>.eml

The above will output your mime parts.

OS X Specifics

You may want to do the above on an OS X system as well. For this you can install ripmime via Homebrew [5].

If you are exporting an eml from Apple Mail you may do so the same way as in Outlook: Just drag it where you want it.

[1] https://www.matijs.net/software/msgconv/
[2] https://www.pldaniels.com/ripmime/
[3] https://www.google.com/search?q=filetype:msg&oq=filetype:msg#q=filetype:msg+outlook
[4] https://tools.ietf.org/html/rfc822
[5] https://brew.sh/index_nb