Email Header Analysis and Forensic Investigation
Рет қаралды 141,935
Күн бұрынDo you know how to properly read and analyze an email message header? In this episode, we’ll take a look at two examples - one legitimate, and one not-so-legitimate. We’ll learn which header fields are most commonly referenced for analysis, how to determine a message’s true origin, how to read SPF and DKIM information, and we’ll even take a quick look at DMARC. Whether you’re completely new to this concept or a seasoned veteran, this episode has something for you.
🙏Special thanks to Arman Gungor (@armangungor) for lending his expertise in making this episode.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Leveraging DKIM in Email Forensics:
www.metaspike.com/leveraging-...
What is DMARC?:
dmarc.org/
Email Header Plugin for Sublime Text 3:
packagecontrol.io/packages/Em...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #EmailForensics
@omniomi 3 жыл бұрын
Great video! The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think. The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
@13Cubed 3 жыл бұрын
I appreciate the detailed insight, and will pin this comment.
@omniomi 3 жыл бұрын
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
@13Cubed 3 жыл бұрын
@@omniomi Makes sense - thanks!
@jeffp1519 4 жыл бұрын
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
@jackbaylor6737 4 жыл бұрын
Superbly broken down and well narrated. Very engaging. Looking forward to more!
@peterream6508 3 жыл бұрын
This a fantastic analysis and should be required watching for anyone that analyzes email for a living. Would recommend!
@krisshaa8079 3 жыл бұрын
This is a life saver. i learned more in 20 minutes then 3 hours reading documentation
@zdog34whatnow 4 жыл бұрын
Best forensics resource I’ve found! You are the man
@abrahamissacjacob4018 4 жыл бұрын
SPF and DKIM sounded so simple. Great video Richard, as always!!
@SecureTheWorld 4 жыл бұрын
this is the best video I have seen on Mail Headers, awesome!
@pedromatos8406 3 жыл бұрын
Thank you for this very clear explanation, indeed one of the best explanations out there. Please continue doing videos like this.
@TheAnurag69 3 жыл бұрын
Best teacher I have ever come across.
@gauravkaintura 4 жыл бұрын
Just came across your channel, great technical article explanation ..... appreciate your work
@gerardocaudillo1902 4 жыл бұрын
Great as always!
@mysketchbook9630 4 жыл бұрын
Simply great & thanks for sharing.
@lautarob 4 жыл бұрын
Excellent! (as usual). Thank you very much
@vinaykumar-pn5le 3 жыл бұрын
Nice Experience .Thanks For your kind information.
@samjohn1098 4 жыл бұрын
Expecting some Mac Forensics from 13Cubed atleast a start
@jag831 3 жыл бұрын
Priceless... thank you!
@SuperChelseaSW6 4 жыл бұрын
Let's hit 20k . Ur vlogs are awesome
@abhijitshetty7338 3 жыл бұрын
very informative indeed. Loved it.
@saipraveen1382 3 жыл бұрын
Soo useful video for Email forensic and for common people to safeguard themself from phishing emails. Love the way presented and Thanks a lot :)
@ahmedelhabashi9341 4 жыл бұрын
Great new video and your explain is awesome... keep going , Thanks
@tehpizzarollz Жыл бұрын
Awesome video. Also, you sound like the narrator on The Sandlot which is pretty cool.
@annafan83 4 жыл бұрын
Good episode and nice office wall ^^
@justingtq13 4 жыл бұрын
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
@hasky9813 3 жыл бұрын
This a a great explanation, really helps with GCFE prep!
@sierratango69 3 жыл бұрын
I'm taking SANS FOR500 soon - great to know this is relevant to the exam :)
@sulthansk6444 4 жыл бұрын
Thanks for the video...
@ericksonpogs 4 жыл бұрын
Watching this video led me to subscribe to your channel. Thanks for sharing this and keep up the good work.
@sijsu 4 жыл бұрын
Great, thanks!
@ciaobello1261 4 жыл бұрын
great video.. very good explain👍👍
@Drusher10 3 жыл бұрын
Sir, amazing video :D
@samjohn1098 4 жыл бұрын
Good one
@afriq911 4 жыл бұрын
Thanks
@brink668 4 жыл бұрын
Nice shirt and yes nice wall.
4 жыл бұрын
Again, great video Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link? thank you
@13Cubed 4 жыл бұрын
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
4 жыл бұрын
@@13Cubed Yes Thank you
@dhustla15 3 жыл бұрын
I am sure this is a simple step I am missing but how do you migrate the email to sublime text for analysis?
@13Cubed 3 жыл бұрын
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
@SuperChelseaSW6 4 жыл бұрын
Hello sir. make demo how fmem works for capturing linux memory . Thanks
@hangmalim6549 3 жыл бұрын
i installed packet control but it dont show up in sublime, why? i am stock in the beginning phase. help me out
@13Cubed 3 жыл бұрын
Go to Tools > Command Palette, then look for Package Control, Install Package. Search for "email header" and you should find it.
@beastface5123 4 жыл бұрын
Where do I get that 13 cubed polo? :)
@13Cubed 4 жыл бұрын
I'm going to be ordering some for giveaway in the next couple of months.
@Deezeone 4 жыл бұрын
how to get the ip from a google email??
@mindtropy 4 жыл бұрын
thanks! can you share a "hard example" of it that we can practice on
@13Cubed 4 жыл бұрын
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
@mindtropy 4 жыл бұрын
@@13Cubed thanks for the quick response, i'll try it
@nitricdx 3 жыл бұрын
What does a localhost ip mean for the first Received field?
@13Cubed 3 жыл бұрын
This might help explain: serverfault.com/questions/522066/what-does-this-received-email-header-line-mean
@rafaeltrindade1867 4 жыл бұрын
Hey, i tried it with a .msg extension i get the encryption message, am i doing something wrong or missing something. Tks in advance great video!
@13Cubed 4 жыл бұрын
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
@rafaeltrindade1867 4 жыл бұрын
@@13Cubed Yeah copy pasting works out, thanks!! :)
@D_Tech_And_Trek 4 жыл бұрын
how do criminals spoof email header? Thanks.
@ab866 3 жыл бұрын
Can you please suggest some good book to understand Email Security in detail.
@13Cubed 3 жыл бұрын
Not sure of any books, but plenty of online resources.
@Cubear99 3 жыл бұрын
Does all e-mails should have DKIM?
@13Cubed 3 жыл бұрын
No, not everyone has configured DKIM, though messages sent from any major email service or company should include DKIM signatures.
@DonVTOL 4 жыл бұрын
I tried this on an email and I don't get anywhere near as much information as you have. Any help would be greatly appreciated. Thanks
@13Cubed 4 жыл бұрын
What do you see? How are you viewing the headers (e.g. what mail client are you using)?
@courtneylyle1454 3 жыл бұрын
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?
John Hubbard
Рет қаралды 24 М.
SANS Digital Forensics and Incident Response
Рет қаралды 9 М.
KamilSec
Рет қаралды 11 М.
SANS Digital Forensics and Incident Response
Рет қаралды 1,1 М.
Kasim Tech
Рет қаралды 63 МЛН