Email Header Analysis and Digital Forensics

แชร์
ฝัง
  • เผยแพร่เมื่อ 13 ธ.ค. 2024

ความคิดเห็น • 57

  • @BlackPerl
    @BlackPerl  4 ปีที่แล้ว +1

    Menu:
    What why are going to cover- 0:05
    Grabbing a header for analysis- 0:50
    Requirements- 1:04
    Setting the language- 2:57
    Start the investigation- 3:23
    Check the SPF via dig- 22:45
    Start extraction of the attachment- 46:25

  • @joekmm803
    @joekmm803 ปีที่แล้ว

    nice video tutorial. Many people go to school just to learn all these stuffs. Thank you soo much.

  • @deanhaycox
    @deanhaycox ปีที่แล้ว

    This was an awesome tutorial on this subject, glad I found it

  • @bryanhildreth5947
    @bryanhildreth5947 3 ปีที่แล้ว +2

    Great Training. I will continue to watch your trainings.

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      Thank you for your feedback Bryan. 😊 Please stay tuned and keep your feedbacks coming!

  • @aseemk1605
    @aseemk1605 4 ปีที่แล้ว +1

    nice one for mail forensic...got such knowledge on header analysis never before...

    • @BlackPerl
      @BlackPerl  4 ปีที่แล้ว

      Hey Buddy.. Thanks a lot for your feedback. I am glad that you liked it.. Way to go mate!

  • @RamaKrishna-lg1zo
    @RamaKrishna-lg1zo 4 ปีที่แล้ว +1

    Very well explained about Email Authentication Analysis sir. We will write some more points to write in the Forensic email authentication report. Thank you very much, sir.

    • @BlackPerl
      @BlackPerl  4 ปีที่แล้ว

      Thanks a lot for your feedback buddy. I am glad that you found this useful.

  • @shuttlecrab
    @shuttlecrab ปีที่แล้ว

    Thank you so much for creating this video, sir.
    Very informative and will help me in my current roll so much

  • @cyberwarriorall6260
    @cyberwarriorall6260 3 ปีที่แล้ว +1

    Excellent bro. I love your videos.

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      Thank you for your feedback.. Really appreciate it!!

  • @harshanharidasan1649
    @harshanharidasan1649 4 ปีที่แล้ว

    Excellent video for an Incident Responder .. Thanks 🙏

    • @BlackPerl
      @BlackPerl  4 ปีที่แล้ว +1

      So nice of you Harshan.. We will be posting new series on DFIR soon, please stay tuned. :)

    • @harshanharidasan1649
      @harshanharidasan1649 4 ปีที่แล้ว

      @@BlackPerl Awaiting 🙏

  • @subhampareek8425
    @subhampareek8425 3 ปีที่แล้ว +1

    Found it really helpful .Just a suggestion -Can you create more such video on email forensics and showcase a different scenario.Which fields in email header can be spoofed and which cannot be

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว +1

      Hey Buddy, Thanks for your feedback. Sure thing. I noted the suggestion.. Please stay tuned!

  • @avinashreddy9323
    @avinashreddy9323 3 ปีที่แล้ว +1

    May I know header analysis will done top to bottom or bottom to top?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      You can read it as you feel comfortable and fits your understanding to parse the IOCs.
      Only the received lines are best read from bottom to top. That is, the first "Received:" line is your own system or mail server. The last "Received:" line is where the mail originated. Each mail system has their own style of "Received:" line. A "Received:" line typically identifies the machine that received the mail and the machine from which the mail was received and so on...

  • @cybertraintelugu
    @cybertraintelugu 3 ปีที่แล้ว +1

    Do we need to block proofpoint IP now?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      Hey, I guess you wanted to block those IP which are marked suspicious in PDR or PRS. If so, yes you can try that because they generally do the categorization based on several factors. But if you think there is some false positive and wanted removal, you can contact them.
      You can follow this as well- bit.ly/2NHaSoW
      Please do let me know for more queries.

  • @577Pradeep
    @577Pradeep 4 ปีที่แล้ว +1

    Nice tutorial..
    learned lot but after looking at this video i looked into outlook headers at one of the email with attachment I see the headers end at X-Microsoft-Antispam-Message-Info and i dont see anything related to attachment.
    has something changed in o365

    • @BlackPerl
      @BlackPerl  4 ปีที่แล้ว

      Hey. Thanks for your feedback. Appreciate it.
      And yes, so the header information totally depends the email transaction that is happening through the email server and the way it was configured to accept and trim the header at receiver end. I guess you have collected the email sample from your outlook client which mainly trims many such valuable information. So we need to always take the email sample from the server end. You can ask your email team to supply any sample and then check it.
      But again, as I said it depends on the way your system is configured. The sample which I worked on in this episode has lot of information and I took it so that I can explain all the fields. So, you might not always find all of them in your header. But definitely you can find many of them. 😊

    • @capricornnnn
      @capricornnnn 3 ปีที่แล้ว +1

      @@BlackPerl Thanks. How can you get that sample from server? We have 0365.

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      @@capricornnnn You need to run E-discovery on your email server to get that sample.

    • @capricornnnn
      @capricornnnn 3 ปีที่แล้ว

      @@BlackPerl I got the the headers via Threat management explorer but its the same as you can view via outlook. Also if I select visual basic then I dont see much of the difference. Which notepad++ theme are you using? Does that matter?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      @@capricornnnn It should not be a theme. At times, your data might not be in a good orientation for notepadd++ to recognize it as VB language. But if you are exporting the data from outlook, it does work. I have tried with several samples.

  • @myeschool2129
    @myeschool2129 3 ปีที่แล้ว +1

    I would like to extract features from raw emails that i have with me and I want these extracted features to categorise them to spam or legitimate emails using some ML algorithms. I am asking how to extract features from emails for this classification?
    Also can you share the above email header?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว +1

      Ok. I understood it now. So for that, you can write a simple VB script kind of Macro in the email outlook, and then run that same script all over your emails. The script will extract all of the required fields in an excel format. I have done that in past to work on some phishing project. It's easy job and a small script. Define a function and look for the specified fields in the parameter in the sting value.. Something like below-
      If InStr(1, vText(i), "Reported by: ") > 0 Then
      vItem = Split(vText(i), Chr(58), 2)
      xlPhishSheet.Range("A" & rPhishCount) = Trim(vItem(1))
      So I am looking for "Reported by: " parameter in the emails, you have to mention the same which you need to extract and then keep on appending them in a excel sheet.
      Hope this helps!

  • @sayankumardey6826
    @sayankumardey6826 3 ปีที่แล้ว +2

    Hi, please give this header for practice

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว +1

      Here you go Buddy- drive.google.com/drive/folders/1SeUKNuZaDA1BntvI3AJIOdenmObJ-vLr?usp=sharing

    • @muthu2223
      @muthu2223 3 ปีที่แล้ว

      @@BlackPerl It asking for password.. could you please help me

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว +1

      @@muthu2223 It is- 'infected'

    • @muthu2223
      @muthu2223 3 ปีที่แล้ว +1

      @@BlackPerl thanks a lot

    • @muthu2223
      @muthu2223 3 ปีที่แล้ว

      @@BlackPerl when I opened suddenly my system got blue screen.. is that contains any malwares??.. what is the reason for this??..

  • @myeschool2129
    @myeschool2129 3 ปีที่แล้ว +1

    How to extract features from raw emails for machie learning

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      Hey, Not sure if I understood you correctly. There are ways to extract metadata from email headers(raw). But did you mean doing this using ML?

    • @myeschool2129
      @myeschool2129 3 ปีที่แล้ว +1

      @@BlackPerl I would like to extract features from raw emails that i have with me and I want these extracted features to categorise them to spam or legitimate emails using some ML algorithms. I am asking how to extract features from emails for this classification?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      I hope my reply on the other comment would help. Please do let me know for any query.

  • @myeschool2129
    @myeschool2129 3 ปีที่แล้ว +1

    Can you please share this header details for analysis?

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      You can download it from here- drive.google.com/file/d/1VRPeR5JgSOPOsxpSG3_I5kdnob49mSvQ/view?usp=sharing
      pass- infected

  • @brettleecorreia5987
    @brettleecorreia5987 3 ปีที่แล้ว

    can u suggest me how to build a email header from scratch???

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      Hey not sure if I understood your question. Can you please elaborate what you meant by building a email header?

    • @brettleecorreia5987
      @brettleecorreia5987 3 ปีที่แล้ว

      @@BlackPerl i want to build a email header analysis website,..

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว +1

      @@brettleecorreia5987 Understood. So for that you can leverage the Git project here github.com/cyberdefenders/email-header-analyzer
      Get the idea how they are coding it and then you can implement the same logic

    • @brettleecorreia5987
      @brettleecorreia5987 3 ปีที่แล้ว

      @@BlackPerl thank u 🤩

    • @BlackPerl
      @BlackPerl  3 ปีที่แล้ว

      @@brettleecorreia5987 You are welcome

  • @D_Tech_And_Trek
    @D_Tech_And_Trek 3 ปีที่แล้ว

    KSA IS NOT UAE BRO :)_