Metaspike CTF, Week 1

ctf, digital forensics

Question 1

I used the following resources from Metaspike:
Message Read Status
Message ID Timestaps

I processed the evidence file using X-Ways Forensics after decompressing the .zip file. I could have processed the evidence file as is if created a Refined Volume Snapshot using the following options:

To be able to get to the .mbox file, I need to Include contents of the file archives.
To Extract e-mail messages and attachments from the .zip file, that box is also checked.
The checkbox to Verify file types with signatures and algorithms assists with verifying the .eml files within the .mbox file when extracting the email messages, which is shown in the Type and Type status column in the Directory Browser.

Based on the information from the Investigating Message Read Status in Gmail & Google Workspace blog post, I determined I needed to search the contents of this Takeout for the values under the header field, ‘X-Gmail-Labels:‘.

Using Simultaneous Search, I searched for ‘, opened’. That yielded two results – one for the entire .mbox file, and another for the .eml file, ‘Numerical Values.eml’, extracted by X-Ways Forensics.

The flag is the header field, ‘Message-ID:’, so I switched from File Mode to Preview Mode using the Raw submode to clean up the view to find the Message-ID header field.

ed102783e87fee61c1a534a9d.3e6e597ee0.20211105194751.39849bd368.47d20790@mail199.atl61.mcsv.net

Question 2

If it’s assumed that there is anomalous header field in Numerical Values.eml, I imagine that I could compare it to another email.

By selecting the .mbox file and switching to Preview Mode, I get a generic view that displays the emails’ information. Reviewing the header fields from Numerical Values.eml, I know the email is from “dave@daventics.com.” I just need to start with one comparison, so I picked the email with the subject, “Canon Fodder.”

I recover/copied both files with XWF and saved them locally. I then compared the two files in a text editor. I used NotePad++ with the Compare plugin.

Looking for “odd” header fields, I noted that line 84 in Numerical Values.eml had a header field that Canon Fodder.eml did not. I didn’t know what I was looking, but I can enter a few keywords in Google to figure that out.

Using the Content-Length Header Field in Email Forensics

The header field, Content-Length, does not appear typical for Gmail. After a quick search to see if any other email contained that header field, Numerical Values.eml is the only message where it is present. I accepted Content-Length: as my answer.

Advertisement

Published by Derek Eiri

Published

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.