DFIR-Notes
Windows Forensics
Windows Forensics
  • windows Memory Forensics
  • Windows Registry Forensics
  • Windows Registry Forensics with RegRipper
  • Windows Powershell Forensics
  • Incident Response Eventhoods
  • Incident Response splunk filters
  • LNK Files (Shortcut Files) Forensics
  • Jump List Forensics
  • Prefetch Files Forensics
  • Living off the Land Binaries (LOLBins)
  • COM (Component Object Model)
  • Key Email Headers for SOC Analysts and DFIR
  • Distributed Component Object Model (DCOM)
  • legitimate Windows processes
  • UserAssist Keys
  • Application Compatibility Cache (Shim Cache)
  • CIDSizeMRU
  • Start Menu Run MRUs
  • MUI Cache
  • BAM (Background Activity Moderator)
  • SRUM (System Resource Usage Monitor)
  • Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics
  • 🔹 Windows System Processes
Powered by GitBook
On this page
  • 1. Received
  • 2. From
  • 3. To
  • 4. Subject
  • 5. Return-Path
  • 6. Message-ID
  • 7. Date
  • 8. Reply-To
  • 9. DKIM-Signature
  • 10. SPF
  • 11. Authentication-Results
  • 12. Content-Type
  • 13. X-Originating-IP
  • 14. X-Mailer
  • 15. Received-SPF
  • 16. X-Received
  • 17. X-Spam-Status
  • 18. Thread-Index
  • 19. List-Unsubscribe
  • Email Header Analyzers
  • Email Forensics Tools
  • Command-Line Tools
  • Email Sandbox Platforms

Key Email Headers for SOC Analysts and DFIR

Email headers provide critical information for analyzing and investigating email-based threats, making them essential for SOC analysts and Digital Forensics and Incident Response (DFIR) professionals. Below are the most important email headers they should understand, along with their significance.

1. Received

  • Purpose: Shows the path an email took from the sender to the recipient, listing each mail server it passed through.

  • Use in Investigation

    • Identifies the origin of the email (IP address of the sending server).

    • Tracks hops to detect unusual routing or spoofing attempts.

      Example:

      Received: from mail.example.com (123.45.67.89) by smtp.company.com

2. From

  • Purpose: Indicates the sender's email address.

  • Use in Investigation:

    • Often spoofed in phishing attacks.

    • Compare with the Return-Path and Sender headers to detect discrepancies.

  • Example:

    From: attacker@example.com

3. To

  • Purpose: Displays the intended recipient(s) of the email.

  • Use in Investigation:

    • Checks if the recipient was specifically targeted or part of a bulk attack.

  • Example:

    To: victim@target.com

4. Subject

  • Purpose: Contains the email's subject line.

  • Use in Investigation:

    • Detects common phishing or spam triggers (e.g., "URGENT ACTION REQUIRED").

    • Analyzes patterns in subject lines for targeted campaigns.

  • Example:

    Subject: Account Verification Needed

5. Return-Path

  • Purpose: Indicates the email address where bounces are sent.

  • Use in Investigation:

    • Can differ from the From header in spoofing attacks.

  • Example:

    Return-Path: <noreply@fakebank.com>

6. Message-ID

  • Purpose: A unique identifier for the email generated by the sending server.

  • Use in Investigation:

    • Helps trace specific emails in a campaign.

    • Identifies duplicate or altered emails.

  • Example:

    Message-ID: <1234567890@mail.example.com>

7. Date

  • Purpose: Specifies when the email was sent.

  • Use in Investigation:

    • Identifies time discrepancies that may indicate spoofing.

    • Helps correlate events during an incident.

  • Example:

    Date: Mon, 18 Dec 2024 10:00:00 -0500

8. Reply-To

  • Purpose: Specifies an alternate email address for replies.

  • Use in Investigation:

    • Often abused in phishing attacks to redirect responses to a malicious address.

  • Example:

    Reply-To: scammer@malicious.com

9. DKIM-Signature

  • Purpose: Provides a cryptographic signature to verify the email's integrity and sender authenticity.

  • Use in Investigation:

    • Validates whether the email was altered after being sent.

  • Example:

    DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=default; ...

10. SPF

  • Purpose: Indicates whether the sending IP address is authorized to send emails on behalf of the domain.

  • Use in Investigation:

    • Detects domain spoofing.

  • Example:

    Received-SPF: pass (domain of example.com designates 123.45.67.89 as permitted sender)

11. Authentication-Results

  • Purpose: Summarizes the results of email authentication checks like SPF, DKIM, and DMARC.

  • Use in Investigation:

    • Quickly identifies authentication failures.

  • Example:

    Authentication-Results: dmarc=fail spf=pass dkim=pass

12. Content-Type

  • Purpose: Specifies the format of the email content (e.g., plain text, HTML, or multipart).

  • Use in Investigation:

    • Detects malicious payloads in attachments or embedded scripts.

  • Example:

    Content-Type: multipart/alternative; boundary="0000boundary"

Malicious Content Delivery:

  • Attackers may use specific Content-Type values, such as application/javascript or application/x-msdownload, to deliver malicious payloads.

  • HTML Email Risks:

    • Emails with Content-Type: text/html can contain phishing links or exploit vulnerabilities in email clients.

  • MIME Boundary Exploits:

    • Misconfigured Content-Type fields in multipart emails can be leveraged for certain attacks (e.g., bypassing security filters).

13. X-Originating-IP

  • Purpose: Shows the IP address of the sender’s device.

  • Use in Investigation:

    • Identifies the sender's geographic location or ISP.

  • Example:

    X-Originating-IP: [192.168.1.1]

14. X-Mailer

  • Purpose: Indicates the software or tool used to send the email.

  • Use in Investigation:

    • Can provide hints about custom or malicious tools used.

  • Example:

    X-Mailer: Microsoft Outlook 16.0

15. Received-SPF

  • Purpose: Indicates whether the sending domain passed or failed SPF checks.

  • Use in Investigation:

    • A failure might indicate spoofing.

  • Example:

    Received-SPF: Fail (domain.com: unauthorized sender)

16. X-Received

  • Purpose: Added by mail servers, this header shows additional details about the email's journey.

  • Use in Investigation:

    • Often helps trace email paths when Received headers are incomplete or obfuscated.

  • Example:

    X-Received: by 10.200.10.1 with SMTP id abcdef123; Thu, 18 Dec 2024 15:00:00 -0800 (PST)

17. X-Spam-Status

  • Purpose: Indicates whether the email was flagged as spam by an anti-spam filter.

  • Use in Investigation:

    • Useful for understanding why an email was classified as spam.

    • Can detect evasions used by attackers to bypass spam filters.

  • Example:

    X-Spam-Status: Yes, score=7.5 required=5.0 tests=HTML_MESSAGE,URI_HEX

18. Thread-Index

  • Purpose: Indicates the threading or grouping of related emails.

  • Use in Investigation:

    • Useful for reconstructing email chains in phishing or spear-phishing attacks.

  • Example:

    Thread-Index: AQHWPjDK5kB5lBSEyUSnmA==

19. List-Unsubscribe

  • Purpose: Provides a mechanism for users to unsubscribe from mailing lists.

  • Use in Investigation:

    • Malicious actors might spoof this header in phishing campaigns.

  • Example:

    List-Unsubscribe: <mailto:unsubscribe@example.com>

Email Header Analyzers

  • Google’s Message Header Analyzer (https://toolbox.googleapps.com/apps/messageheader/):

    • Analyze email headers for DKIM, SPF, and DMARC results.

    • Quickly interpret mail relay paths and DKIM results.

  • Microsoft Message Analyzer:

    • Used to analyze email headers and DKIM signatures for emails sent to Microsoft-based systems like Office365.

    • Helps check DKIM, SPF, and DMARC configurations.

    • Useful for both analysis and ensuring proper outbound email configuration

Email Forensics Tools

  • MailXaminer:

    • Email forensic tool that can analyze headers, DKIM signatures, attachments, and embedded links.

    • Supports various email file formats like PST, MBOX, and EML.

  • Paraben E3 Email Investigator:

    • A comprehensive tool for email forensic investigations.

    • Allows in-depth analysis of email metadata, attachments, and authentication mechanisms.

Command-Line Tools

    • Parse and validate DKIM signatures.

    • Useful for automating DKIM checks as part of a forensic workflow.

  • Dig:

    • Verify DKIM public keys manually using DNS lookups.

    • Example Command: 

      dig TXT selector1._domainkey.example.com

Email Sandbox Platforms

    • Dynamic analysis of suspicious email attachments.

    • Observe behaviors like outbound connections that might indicate malicious activity.

  • Cuckoo Sandbox:

    • Analyze email attachments or payloads in a controlled environment.

PreviousCOM (Component Object Model)NextDistributed Component Object Model (DCOM)

Last updated 5 months ago

Mailtester Tools ():

DKIMpy (Python Library) ():

Any.Run ():

https://www.mail-tester.com/
https://github.com/quantumew/dkimpy
https://any.run/