Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Analyzing MSG files - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing MSG files

I was asked how to analyze .msg files, e.g. emails saved with Outlook. It's something that I have to do regularly, when readers submit emails for analysis.

We talked about msg files before: they are "Compound File Binary Format", and can thus be analyzed with tools like oledump.py.

A .msg file will contain a large amount of streams (easily more than 100), and their names contain hexadecimal digits to indicate their type and purpose.

To help me identify streams (like streams with the content of attachments), I have an oledump plugin: plugin_msg.

In this screenshot, we can see that the content of stream 4 is binary data (BIN) and that it contains the attachment (Attachment data). The dump of the header on the same line tells us this is a PNG file. Which is confirmed by the attachment name in stream 7 (UNI = UNICODE): image001.png.

Option -q can be used to limit oledump's output to the plugin, and thus have a more compact overview:

To analyze attachments, we just have to select and dump them:

 

Didier Stevens
Senior handler
Microsoft MVP
blog.DidierStevens.com DidierStevensLabs.com

DidierStevens

300 Posts
ISC Handler
I prefer using a tool to convert the msg file to eml that way i can view the content directly in my lab machine.

https://www.matijs.net/software/msgconv/
https://github.com/mvz/email-outlook-message-perl
JasonKillam

6 Posts
And what tool do you use for the resulting eml file? An email client in your lab machine?
DidierStevens

300 Posts
ISC Handler
Yes, usually Thunderbird on my lab computer, strings since eml files are non-binary files, or outlook in a vm which wouldn't necessarily need conversion. Converting to eml also allows me to view the headers easier as well.
JasonKillam

6 Posts
Hi Didier,

Thanks for the great post.

One doubt that I have:
From where you got that the content of the email is it in stream 53?
I do not see in the picture.

Another thing, is it possible to get the whole headers of the .msg like if you will get them
by opening the .msg file from outlook and going to File/properties?
I meant, get the full headers?



Thanks in advance!
Anonymous
Here is a new diary entry explaining how to find which stream contains the email body:
isc.sans.edu/forums/diary/Peeking+into+msg+files+revisited/23974/
DidierStevens

300 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!