Adventures in Email Forensics

METASPIKE CTF

Challenge – It’s About Time (0)

Downloading the file gets us a EML file which is fortunately readable in many different programs. It’s essentially a text file and thus easily editable. I don’t have a lot of tools setup on my laptop right now due to a O/S reload so I opened the file in Notepad++.

There is a lot of great information we can look it in here (X-Headers,DKIM,SPF) but on the face of it nothing stood out for me. I did end up guessing this answer as F for fake given the theme of the challenge. A bit of googling later leads me to a great writeup by Phill Moore over at thinkdfir.com. His conclusion was based on an X-Mailer string anomaly. The X-mailer field shows the software used to send the message. The version of Chrome listed (87.0.4280.67) was not released until Nov 2020 but the timestamps in the e-mail are from Mar 2016. This is a good indicator that the timestamps have been changed. Reflecting back on the challenge title also leads us to believe that maybe the timestamps cannot be trusted.

Advertisement