I recently “rediscovered” Autopsy. Used the webversion on Debian way back. Great product!!!
For me e-mail handling is the most important part of my work (anti cartel authority/ enforcing competition law / economic crimes). According to the help file, Autopsy recognises MBOX and PST as mail. In my environment I meet lots of MSG, EML and EMLX files. Is there a way to have Autopsy recognise, treat and analyse them as e-mail?
Thanks,
Remco Siderius
Hi remmilou, The answer to your question is yes. AF has an option to look specifically for extensions. You can either use Interesting Files or Ingest to make AF look for your specific extension. Go to the following path:
Tools>Options> (either) Interesting files or Ingest. Select “new set” for Ingest then in the sub option, put in the extension you are looking for.
After you have the extensions you are looking for entered, restart AF and run the respective ingest module against your image. Make sure if you select either Interesting Files or Ingest, on the Ingest screen, you ensure it is checked along with the Ingest Module you just created.
After AF finds the files, you can export and view in another program or open them in external viewer see the results.
Hope this helps
Sam Pepenella
Thanks for the super fast reply.
I will try this as soon as possible.
Remco
Hi Remco,
As far as I know Autopsy will not parse out any msg, eml or emlx loose files. Are you wanting to take advantage of the new communications manager that is in Autopsy? If you are then maybe I can create an Autopsy Python Plugin for you. Send me a message if you would like to discuss this further.
Kind regards.
Mark
Hi Mark. Thanks for responding and your offer:
My first aim is to see pst, mbox, eml, msg and so on, “integrated” as e-mail. So I can put all these together in a timeline for instance. Now I do timelining of mail with opensource (java) “Timeflow” (which is also built in in several other products).
Another thing I would like to achieve is export selected (tagged) mails only as msg or eml. (must be able to keyword search in mailbody AND attachements for selecting). In that case I parse them out with other tools (such as readpst) and then build a case from these loose files.
Now I have to do this selection process completely outside of Autopsy, with a stand alone indexer (recoll).
I’m aware that this is not intended use of Autopsy. If this can be achieved with a relatively simple plugin OK. But I do not want to be accused of littering a great product.
I have the tools for most of my work. Integration in Autopsy will make my work much more efficient…
Thanks again,
Remco Siderius
Hi Sam,
I will not be able to test your suggestion very soon. We had a lightning strike that blew up (at least) the graphics card of my pc. Will take some time to get this serviced.
I’m testing this at home and not at my work. At my work the think open source can’t be OK.
Remco
No worries…when you have a chance and need any further assistance please let me know, I’d be happy to help.
Hi Sam,
Just put a Windows with Autopsy on my old MacBook. Slow, but it works…
Tried your suggestion. I now have a seperate categorie of files, but I still do not see it as e-mail in a timeline, nor does it show any attachments…
Remco
Hi Mark,
I was able to test some more and have a clearer view of what I really want…-
It’s indeed in the communications manager that I would like to have the EML’s and MSG’s show up.
Sorry I was not clear in this in my first question.
Furthermore, I would like to see the attachments from theses files.
Thanks for any help,
Remco
What I do is download a viewer for that specific email file, such as an OST, PST, EML… I download a viewer and attach it in the options of Autopsy or export the file and view it in the viewer and I can see all aspects of the email. What is the email file format you are looking for?
Hi Sam,
I see… I’m able to view EML and MSG formatted files in more or less native format. Same for PST and even NSF. I’ve got enough free and open source tools for that in my toolbox.
My problem is that Autopsy does not recognize these types as e-mail communication and that the attachments are not extracted as files, nor that these files show up in a timeline (time based on the send date) under communications.
I’ve got ways to analyze mail data outside of Autopsy, by first exporting them (libpst), but my aim is to analyze then inside Autopsy, integrated with other communications and files.
Hope this clarifies my question.
As said before, If this is not relatively easy I will go on analyzing outside of Autopsy.
And it makes no sence littering a product with features no one else is interested in…
Thanks anyway!!!
Hi Remco,
I have created an EML parser that will look for all EML files in an image and then read them into Autopsy as a email message, it also includes attachments as well. You can find the plugin here https://github.com/markmckinnon/Autopsy-Plugins/tree/master/EML_Parser. If you have not added any python plugins before let me know and I can tell you how to get it installed. I have tested it on some EML files I had and it seems to work for me so let me know if it works for you.
Kind regards.
Mark
Hi Mark. That sounds as the solution. More than I could hope for. Thanks.
I will download it ASAP and try.
I have indeed never added any Python plugin. As said in my question I have used Autopsy 2 on Linux way back, but I am new to Autopsy 4. I’ve got 16 years of experience in computer forensics… FTK, EnCase, review platforms (NUIX, Intella…), XRY, UFED. At my work (Government) they do not trust open source. I will try to introduce Autopsy as my last act before quitting. With a mail parser it might make a chance.
A big thanks.
Remco
Thanks Mark, Ill have to d/l that and add it.
Hi Mark, tried to install your plugin, but failed misarably.
I took your othrer installer and added this pugin afterwards in the what I took for the right directory.
Will go on holiday now and will not be back before august.
I’m also busy with Freeeed. Took me also a lot of time (very interesting free e-discovery project b.t.w.)
Hi all,
I’m using/testing EML-Parser tool.
EML-parser tool seems to work in almost all cases but … there is “crash” when attached files are named with some “unfrequent” character as :
- ° character
- ’ (acute apostrophe) or
- ’ (apostrophe)
- …
Consider, for example, a mail with a pdf file attached (note " ° " character) named :
TEST_ITALUM - N° 1- Copia.pdf ( replicating real case test as “invoice N°1”, “invoice N°2”, …)
EML-Parser crashes with a : “IOError: [Errno 13] Permission denied”
With log analysis I realize that :
TEST_ITALUM - N° 1- Copia.pdf ==> TEST_ITALUM - =?UTF-8?B?TsKw?= 1- Copia.pdf
Any suggestion ? I’ve a lot of mail with unfrequent character in filename. attacched files …
Let me know if you need additional information (detailed log , or my eml case-test, …)
Thanks in advance.
Luca
Traceback (most recent call last):
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 171, in process
eml.processEmls()
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 454, in processEmls
msg = self.extract(f, f.name, self.attachmentPath)
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 419, in extract
Text, Html, Files, Parts, Attachments = self.pullout(m, key, filePath)
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 401, in pullout
t, h, f, p, att = self.pullout(pl, key, filePath)
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 364, in pullout
self.saveFile(os.path.basename(cfn), m.get_payload(decode=True), filePath)
File “C:\Users\Luca\AppData\Roaming\autopsy\python_modules\EML_Parser\EML_Parser.py”, line 318, in saveFile
file = open(os.path.join(filePath, fn), “wb”)
IOError: [Errno 13] Permission denied: u’T:\DEFECT\ModuleOutput\Email-Eml\4-02 22_09_2019 - Test piripacchio.TEST_ITALUM - =?UTF-8?B?TsKw?= 1- Copia.pdf’
I will take a look at it and get back to you on it.
Mark
Hi Mark,
thank you so much for responding.
Luca
The next release (first week of Oct) will have EML support. We’re using a different library than Mark did, but we’ll test this scenario you just described.
This is really good news!
In October I expect to have a case with lots of eml files…
Thanks to all for picking this up!