Email Header Analysis and Forensic Investigation
Переглядів 140,482
День томуDo you know how to properly read and analyze an email message header? In this episode, we’ll take a look at two examples - one legitimate, and one not-so-legitimate. We’ll learn which header fields are most commonly referenced for analysis, how to determine a message’s true origin, how to read SPF and DKIM information, and we’ll even take a quick look at DMARC. Whether you’re completely new to this concept or a seasoned veteran, this episode has something for you.
🙏Special thanks to Arman Gungor (@armangungor) for lending his expertise in making this episode.
** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **
Leveraging DKIM in Email Forensics:
www.metaspike.com/leveraging-...
What is DMARC?:
dmarc.org/
Email Header Plugin for Sublime Text 3:
packagecontrol.io/packages/Em...
Background Music Courtesy of Anders Enger Jensen:
/ hariboosx
#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics #EmailForensics
@omniomi 3 роки тому
Great video! The description of the SPF qualifiers on the "all" mechanism isn't quite right though. Your description is a common misconception I encounter on security and admin forums frequently. The difference in handling of ~all and -all failures is entirely a matter of local policy on the side of the receiver. Senders should strive to get their records to -all but the difference in how imposter mail will be treated isn't as stark as one may think. The softfail description is somewhat correct in that the RFC specifies the receiver "SHOULD NOT" reject (note it doesn't say "MUST NOT".) However, accepted is not the same as delivered and the message may still be quarantined or otherwise prevented from ultimately ending up in the recipient's mailbox. The RFC on fail (-all) is almost the same but says >>>if>chooses
@13Cubed 3 роки тому
I appreciate the detailed insight, and will pin this comment.
@omniomi 3 роки тому
@@13Cubed just to reiterate: Your video is great. The content is accurate, useful, and easy to follow. Email security is just my entire job and before that I was basically a postmaster so I can depressingly quote all of the relevant RFCs from memory haha :D I think the misconception about how -all and ~all are handled is because in an ideal world the way you described it would be true. In practice though so many legitimate messages fail SPF for a myriad of reasons so filter vendors err on the side of accept but be suspicious unless there's a DMARC record with p=reject. Even then some still accept but quarantine (looking at you Office 365.)
@13Cubed 3 роки тому
@@omniomi Makes sense - thanks!
@jeffp1519 4 роки тому
I've been doing some form of email forensics for years, and this is one of the best explanations that I've seen. Great job. I'd welcome much more of this, as well as Mac, Linux and database forensics. Cheers.
@jackbaylor6737 4 роки тому
Superbly broken down and well narrated. Very engaging. Looking forward to more!
@peterream6508 3 роки тому
This a fantastic analysis and should be required watching for anyone that analyzes email for a living. Would recommend!
@krisshaa8079 3 роки тому
This is a life saver. i learned more in 20 minutes then 3 hours reading documentation
@abrahamissacjacob4018 4 роки тому
SPF and DKIM sounded so simple. Great video Richard, as always!!
@zdog34whatnow 4 роки тому
Best forensics resource I’ve found! You are the man
@gerardocaudillo1902 4 роки тому
Great as always!
@SecureTheWorld 4 роки тому
this is the best video I have seen on Mail Headers, awesome!
@TheAnurag69 3 роки тому
Best teacher I have ever come across.
@jag831 3 роки тому
Priceless... thank you!
@mysketchbook9630 4 роки тому
Simply great & thanks for sharing.
@pedromatos8406 3 роки тому
Thank you for this very clear explanation, indeed one of the best explanations out there. Please continue doing videos like this.
@gauravkaintura 4 роки тому
Just came across your channel, great technical article explanation ..... appreciate your work
@lautarob 4 роки тому
Excellent! (as usual). Thank you very much
@samjohn1098 4 роки тому
Expecting some Mac Forensics from 13Cubed atleast a start
@vinaykumar-pn5le 3 роки тому
Nice Experience .Thanks For your kind information.
@abhijitshetty7338 3 роки тому
very informative indeed. Loved it.
@annafan83 4 роки тому
Good episode and nice office wall ^^
@ahmedelhabashi9341 4 роки тому
Great new video and your explain is awesome... keep going , Thanks
@saipraveen1382 3 роки тому
Soo useful video for Email forensic and for common people to safeguard themself from phishing emails. Love the way presented and Thanks a lot :)
@sulthansk6444 4 роки тому
Thanks for the video...
@WestLondonSW6 4 роки тому
Let's hit 20k . Ur vlogs are awesome
@sijsu 4 роки тому
Great, thanks!
@hasky9813 3 роки тому
This a a great explanation, really helps with GCFE prep!
@sierratango69 3 роки тому
I'm taking SANS FOR500 soon - great to know this is relevant to the exam :)
@ericksonpogs 4 роки тому
Watching this video led me to subscribe to your channel. Thanks for sharing this and keep up the good work.
@ciaobello1261 4 роки тому
great video.. very good explain👍👍
@samjohn1098 4 роки тому
Good one
@justingtq13 3 роки тому
Hey, Thanks for the great video. Lot of cool and needed information. I had a quick question though. How does the MX record and SPF authorised sender differ? I mean can they both be the same too?
@tehpizzarollz Рік тому
Awesome video. Also, you sound like the narrator on The Sandlot which is pretty cool.
@Drusher10 3 роки тому
Sir, amazing video :D
@brink668 4 роки тому
Nice shirt and yes nice wall.
@afriq911 4 роки тому
Thanks
@WestLondonSW6 4 роки тому
Hello sir. make demo how fmem works for capturing linux memory . Thanks
@HamzaOuadiaprofile 4 роки тому
Again, great video Can you explain how reconnaissance email (not email reconnaissance) the one some APTs use to put an url to verify if the email exists or not without clicking the link? thank you
@13Cubed 4 роки тому
Hidden tracking pixels and things of that nature are pretty common and can show whether or not someone opened a message without clicking a link. Is that what you’re referring to?
@HamzaOuadiaprofile 4 роки тому
@@13Cubed Yes Thank you
@mindtropy 4 роки тому
thanks! can you share a "hard example" of it that we can practice on
@13Cubed 4 роки тому
Just send an email from one account to another and look at some of the header fields we've covered here. That's by far the easiest way to become familiar with how to read and interpret the data.
@mindtropy 4 роки тому
@@13Cubed thanks for the quick response, i'll try it
@Deezeone 4 роки тому
how to get the ip from a google email??
@beastface5123 4 роки тому
Where do I get that 13 cubed polo? :)
@13Cubed 4 роки тому
I'm going to be ordering some for giveaway in the next couple of months.
@dhustla15 3 роки тому
I am sure this is a simple step I am missing but how do you migrate the email to sublime text for analysis?
@13Cubed 3 роки тому
Using your mail client, view the mail headers. Then, just copy/paste those headers into Sublime Text, and choose the "Email Header" plugin in the bottom right.
@rafaeltrindade1867 4 роки тому
Hey, i tried it with a .msg extension i get the encryption message, am i doing something wrong or missing something. Tks in advance great video!
@13Cubed 4 роки тому
MSG files are usually associated with Microsoft Outlook, and aren’t going to be readable in plain text. You’ll need to view the headers within that application and copy and paste them into a separate file for analysis (or otherwise convert the MSG to EML via a third-party application).
@rafaeltrindade1867 4 роки тому
@@13Cubed Yeah copy pasting works out, thanks!! :)
@hangmalim6549 3 роки тому
i installed packet control but it dont show up in sublime, why? i am stock in the beginning phase. help me out
@13Cubed 3 роки тому
Go to Tools > Command Palette, then look for Package Control, Install Package. Search for "email header" and you should find it.
@nitricdx 3 роки тому
What does a localhost ip mean for the first Received field?
@13Cubed 3 роки тому
This might help explain: serverfault.com/questions/522066/what-does-this-received-email-header-line-mean
@ab866 3 роки тому
Can you please suggest some good book to understand Email Security in detail.
@13Cubed 3 роки тому
Not sure of any books, but plenty of online resources.
@dilent7525 4 роки тому
how do criminals spoof email header? Thanks.
@Cubear99 3 роки тому
Does all e-mails should have DKIM?
@13Cubed 3 роки тому
No, not everyone has configured DKIM, though messages sent from any major email service or company should include DKIM signatures.
@DonVTOL 4 роки тому
I tried this on an email and I don't get anywhere near as much information as you have. Any help would be greatly appreciated. Thanks
@13Cubed 4 роки тому
What do you see? How are you viewing the headers (e.g. what mail client are you using)?
@courtneylyle1454 3 роки тому
@@13Cubed This information was helpful in understanding but I am still unable to decipher the original sender location of an email from a gmail account. I have emails both sent and received, and determining if the sender is in my state or not would really help me in knowing who is behind the account. Can you help?
John Hubbard
Переглядів 23 тис.
Суспільне Донбас
Переглядів 409 тис.
KamilSec
Переглядів 11 тис.
SANS Digital Forensics and Incident Response
Переглядів 999
SANS Digital Forensics and Incident Response
Переглядів 9 тис.
spline
Переглядів 358 тис.
АЙДЕН
Переглядів 322 тис.