Email Header Analysis and Forensic Investigation

  Рет қаралды 152,867

13Cubed

13Cubed

Күн бұрын

Пікірлер: 65
@omniomi
@omniomi 4 жыл бұрын
Great video! The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think. The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
@13Cubed
@13Cubed 4 жыл бұрын
I appreciate the detailed insight, and will pin this comment.
@omniomi
@omniomi 4 жыл бұрын
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
@13Cubed
@13Cubed 4 жыл бұрын
@@omniomi Makes sense - thanks!
@jeffp1519
@jeffp1519 4 жыл бұрын
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
@krisshaa8079
@krisshaa8079 4 жыл бұрын
This is a life saver. i learned more in 20 minutes then 3 hours reading documentation
@peterream6508
@peterream6508 4 жыл бұрын
This a fantastic analysis and should be required watching for anyone that analyzes email for a living. Would recommend!
@jackbaylor6737
@jackbaylor6737 4 жыл бұрын
Superbly broken down and well narrated. Very engaging. Looking forward to more!
@TheAnurag69
@TheAnurag69 4 жыл бұрын
Best teacher I have ever come across.
@zdog34whatnow
@zdog34whatnow 5 жыл бұрын
Best forensics resource I’ve found! You are the man
@samjohn1098
@samjohn1098 5 жыл бұрын
Expecting some Mac Forensics from 13Cubed atleast a start
@abrahamissacjacob4018
@abrahamissacjacob4018 4 жыл бұрын
SPF and DKIM sounded so simple. Great video Richard, as always!!
@gauravkaintura
@gauravkaintura 4 жыл бұрын
Just came across your channel, great technical article explanation ..... appreciate your work
@hasky9813
@hasky9813 4 жыл бұрын
This a a great explanation, really helps with GCFE prep!
@sierratango69
@sierratango69 4 жыл бұрын
I'm taking SANS FOR500 soon - great to know this is relevant to the exam :)
@SecureTheWorld
@SecureTheWorld 4 жыл бұрын
this is the best video I have seen on Mail Headers, awesome!
@mindtropy
@mindtropy 5 жыл бұрын
thanks! can you share a "hard example" of it that we can practice on
@13Cubed
@13Cubed 5 жыл бұрын
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
@mindtropy
@mindtropy 5 жыл бұрын
@@13Cubed thanks for the quick response, i'll try it
@vinaykumar-pn5le
@vinaykumar-pn5le 4 жыл бұрын
Nice Experience .Thanks For your kind information.
@tehpizzarollz
@tehpizzarollz Жыл бұрын
Awesome video. Also, you sound like the narrator on The Sandlot which is pretty cool.
@pedromatos8406
@pedromatos8406 4 жыл бұрын
Thank you for this very clear explanation, indeed one of the best explanations out there. Please continue doing videos like this.
@saipraveen1382
@saipraveen1382 4 жыл бұрын
Soo useful video for Email forensic and for common people to safeguard themself from phishing emails. Love the way presented and Thanks a lot :)
@gerardocaudillo1902
@gerardocaudillo1902 5 жыл бұрын
Great as always!
@annafan83
@annafan83 5 жыл бұрын
Good episode and nice office wall ^^
@mysketchbook9630
@mysketchbook9630 4 жыл бұрын
Simply great & thanks for sharing.
@jag831
@jag831 4 жыл бұрын
Priceless... thank you!
5 жыл бұрын
Again, great video Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link? thank you
@13Cubed
@13Cubed 5 жыл бұрын
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
5 жыл бұрын
@@13Cubed Yes Thank you
@SuperChelseaSW6
@SuperChelseaSW6 4 жыл бұрын
Let's hit 20k . Ur vlogs are awesome
@ahmedelhabashi9341
@ahmedelhabashi9341 5 жыл бұрын
Great new video and your explain is awesome... keep going , Thanks
@sulthansk6444
@sulthansk6444 5 жыл бұрын
Thanks for the video...
@abhijitshetty7338
@abhijitshetty7338 4 жыл бұрын
very informative indeed. Loved it.
@lautarob
@lautarob 4 жыл бұрын
Excellent! (as usual). Thank you very much
@ciaobello1261
@ciaobello1261 5 жыл бұрын
great video.. very good explain👍👍
@dhustla15
@dhustla15 4 жыл бұрын
I am sure this is a simple step I am missing but how do you migrate the email to sublime text for analysis?
@13Cubed
@13Cubed 4 жыл бұрын
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
@beastface5123
@beastface5123 5 жыл бұрын
Where do I get that 13 cubed polo? :)
@13Cubed
@13Cubed 5 жыл бұрын
I'm going to be ordering some for giveaway in the next couple of months.
@brink668
@brink668 5 жыл бұрын
Nice shirt and yes nice wall.
@Cubear99
@Cubear99 4 жыл бұрын
Does all e-mails should have DKIM?
@13Cubed
@13Cubed 4 жыл бұрын
No, not everyone has configured DKIM, though messages sent from any major email service or company should include DKIM signatures.
@Deezeone
@Deezeone 5 жыл бұрын
how to get the ip from a google email??
@ericksonpogs
@ericksonpogs 4 жыл бұрын
Watching this video led me to subscribe to your channel. Thanks for sharing this and keep up the good work.
@nitricdx
@nitricdx 4 жыл бұрын
What does a localhost ip mean for the first Received field?
@13Cubed
@13Cubed 4 жыл бұрын
This might help explain: serverfault.com/questions/522066/what-does-this-received-email-header-line-mean
@samjohn1098
@samjohn1098 5 жыл бұрын
Good one
@SuperChelseaSW6
@SuperChelseaSW6 4 жыл бұрын
Hello sir. make demo how fmem works for capturing linux memory . Thanks
@sijsu
@sijsu 5 жыл бұрын
Great, thanks!
@justingtq13
@justingtq13 4 жыл бұрын
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
@hangmalim6549
@hangmalim6549 4 жыл бұрын
i installed packet control but it dont show up in sublime, why? i am stock in the beginning phase. help me out
@13Cubed
@13Cubed 4 жыл бұрын
Go to Tools > Command Palette, then look for Package Control, Install Package. Search for "email header" and you should find it.
@ab866
@ab866 4 жыл бұрын
Can you please suggest some good book to understand Email Security in detail.
@13Cubed
@13Cubed 4 жыл бұрын
Not sure of any books, but plenty of online resources.
@Drusher10
@Drusher10 3 жыл бұрын
Sir, amazing video :D
@rafaeltrindade1867
@rafaeltrindade1867 4 жыл бұрын
Hey, i tried it with a .msg extension i get the encryption message, am i doing something wrong or missing something. Tks in advance great video!
@13Cubed
@13Cubed 4 жыл бұрын
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
@rafaeltrindade1867
@rafaeltrindade1867 4 жыл бұрын
@@13Cubed Yeah copy pasting works out, thanks!! :)
@D_Tech_And_Trek
@D_Tech_And_Trek 4 жыл бұрын
how do criminals spoof email header? Thanks.
@DonVTOL
@DonVTOL 4 жыл бұрын
I tried this on an email and I don't get anywhere near as much information as you have. Any help would be greatly appreciated. Thanks
@13Cubed
@13Cubed 4 жыл бұрын
What do you see? How are you viewing the headers (e.g. what mail client are you using)?
@courtneylyle1454
@courtneylyle1454 4 жыл бұрын
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?
@afriq911
@afriq911 4 жыл бұрын
Thanks
Introduction to Memory Forensics
23:24
13Cubed
Рет қаралды 78 М.
Try this prank with your friends 😂 @karina-kola
00:18
Andrey Grechka
Рет қаралды 9 МЛН
VIP ACCESS
00:47
Natan por Aí
Рет қаралды 30 МЛН
The evil clown plays a prank on the angel
00:39
超人夫妇
Рет қаралды 53 МЛН
Beat Ronaldo, Win $1,000,000
22:45
MrBeast
Рет қаралды 158 МЛН
Cybersecurity SOC Analyst Lab - Email Analysis (Phishing)
25:33
Email Headers Explained and How They Might Help You
25:32
Ask Leo!
Рет қаралды 26 М.
Introduction to Windows Forensics
1:04:33
13Cubed
Рет қаралды 179 М.
Forensic Investigation of Emails Altered on the Server | SANS DFIR Summit 2019
34:16
SANS Digital Forensics and Incident Response
Рет қаралды 9 М.
OAuth 2.0 and OpenID Connect (in plain English)
1:02:17
OktaDev
Рет қаралды 1,8 МЛН
How DKIM SPF & DMARC Work to Prevent Email Spoofing
17:15
MDaemon Technologies
Рет қаралды 117 М.
How DKIM SPF & DMARC Work to Prevent Email Spoofing
17:15
Thobson Technologies
Рет қаралды 122 М.
Try this prank with your friends 😂 @karina-kola
00:18
Andrey Grechka
Рет қаралды 9 МЛН