Adventures in Email Forensics

METASPIKE CTF

Challenge – It’s About Time (0)

Downloading the file gets us a EML file which is fortunately readable in many different programs. It’s essentially a text file and thus easily editable. I don’t have a lot of tools setup on my laptop right now due to a O/S reload so I opened the file in Notepad++.

There is a lot of great information we can look it in here (X-Headers,DKIM,SPF) but on the face of it nothing stood out for me. I did end up guessing this answer as F for fake given the theme of the challenge. A bit of googling later leads me to a great writeup by Phill Moore over at thinkdfir.com. His conclusion was based on an X-Mailer string anomaly. The X-mailer field shows the software used to send the message. The version of Chrome listed (87.0.4280.67) was not released until Nov 2020 but the timestamps in the e-mail are from Mar 2016. This is a good indicator that the timestamps have been changed. Reflecting back on the challenge title also leads us to believe that maybe the timestamps cannot be trusted.

One thought on “Adventures in Email Forensics

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Create your website with WordPress.com
Get started
%d bloggers like this: