Lab) Manual Artifact Extracton Solution Flashcards
Lab Overview
In this activity, you will be manually collecting artifacts from safe phishing emails. The Mozilla Thunderbird email client can be used for viewing, as well as the Sublime Text 2 text editor for looking at the .eml files directly Manually collecting artifacts using a client and text editor, is a core skill for phishing analysis, as not all organizations will have access to tools that can automatically retrieve email, web, and file-based artifacts.
The only tools you need to use for this lab are the Mozilla Thunderbird email client and Sublime Text 2. Launch it and drag the emails in (or right-click an email and select ‘Open With’), then select either of these two tools.
If you are prompted to log into Thunderbird, close this prompt and you’ll be able to use it without an account.
Question 1 - Email One - What is the sending address?
Opening the email in Sublime Text we can use the Find feature (CTRL+F) to search for “From”.
Question 2 - Email One - What is the recipient address?
For this question we’ll look for the “To” field and its value.
Question 3 - Email One - What is the subject line?
For this question we’ll look for the “Subject” field and its value.
Question 4 - Email One - What is the date and time the email was received? (Retrieve this via text editor. Format: DD MonthName YYYY XX:XX:XX)
For this question we’ll look for the “Date” field and its value.
Question 5 - Email One - What is the sending server IP address?
For this question we’ll search for the “X-Sender-IP” field and its value.
Question 6 - Email One - What is the hostname of this IP address? (Reverse DNS Lookup)
Taking the IP from the previous question we’ll open the site https://whois.domaintools.com and perform a search. We can see the resolved hostname below.
Question 7 - Email One - What is the full URL hyperlinked within this email?
The easiest way to retrieve this artifact is to (carefully) right-click the hyperlink when viewing the file in an email client, and select ‘Copy Hyperlink’ (or a similar option).
Question 8 - Email Two - What is the sending address?
Same as before, we’ll use Find and search for “From”.
Question 9 - Email Two - What is the recipient address?
Searching for the “To” field and value.
Question 10 - Email Two - What is the subject line?
Searching for the “Subject” field and value.
Question 11 - Email Two - What is the date and time the email was received? (Retrieve this via text editor. Format: DD MonthName YYYY XX:XX:XX)
Searching for the “Date” field and value.
Question 12 - Email Two - What is the sending server IP address?
Searching for the “X-Sender-IP” field and value.
Question 13 - Email Two - What is the hostname of the sending server IP? (Reverse DNS Lookup)
Using the IP from the previous question, we’ll submit it to https://whois.domaintools.com.
Question 14 - Email Two - What is the full file name? (name + extension)
There are two ways we can get the file name. From within the text editor we can search for “filename”.
And within an email client we can see the attachment name somewhere in the interface. The location and style will vary depending on the client, but Outlook for example will show the attachment details at the top of the email. In Thunderbird, we see this at the bottom.