Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Analyzing MSG files - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Analyzing MSG files

I was asked how to analyze .msg files, e.g. emails saved with Outlook. It's something that I have to do regularly, when readers submit emails for analysis.

We talked about msg files before: they are "Compound File Binary Format", and can thus be analyzed with tools like

A .msg file will contain a large amount of streams (easily more than 100), and their names contain hexadecimal digits to indicate their type and purpose.

To help me identify streams (like streams with the content of attachments), I have an oledump plugin: plugin_msg.

In this screenshot, we can see that the content of stream 4 is binary data (BIN) and that it contains the attachment (Attachment data). The dump of the header on the same line tells us this is a PNG file. Which is confirmed by the attachment name in stream 7 (UNI = UNICODE): image001.png.

Option -q can be used to limit oledump's output to the plugin, and thus have a more compact overview:

To analyze attachments, we just have to select and dump them:


Didier Stevens
Senior handler
Microsoft MVP


652 Posts
ISC Handler
Jul 23rd 2018
I prefer using a tool to convert the msg file to eml that way i can view the content directly in my lab machine.

8 Posts
And what tool do you use for the resulting eml file? An email client in your lab machine?

652 Posts
ISC Handler
Yes, usually Thunderbird on my lab computer, strings since eml files are non-binary files, or outlook in a vm which wouldn't necessarily need conversion. Converting to eml also allows me to view the headers easier as well.

8 Posts
Hi Didier,

Thanks for the great post.

One doubt that I have:
From where you got that the content of the email is it in stream 53?
I do not see in the picture.

Another thing, is it possible to get the whole headers of the .msg like if you will get them
by opening the .msg file from outlook and going to File/properties?
I meant, get the full headers?

Thanks in advance!
Here is a new diary entry explaining how to find which stream contains the email body:

652 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!