 Hello, I'm Didier Stevens, Senior Handler with the InternetStorm Center and in this video I want to show you how I analyze email files. So we regularly get contributors that send us samples. Sometimes they are sent as a complete email and as an MSG file. So an email that was saved to file in Outlook and those MSG files are actually OLE files. So you can analyze them with OleDump and that's what I'm going to do here. So I run OleDump here on a sample like this and then you can see that it contains a lot of streams. And here in the beginning here you see streams that starts with attach. So they probably contain attachment here you can see a large stream. So this is probably the attachment of the email. And then a lot of other streams that contain very little data. Here one with more data 43 and here two others. So let's take a look into 43 and then 53. So OLE dump, select 43, do an ASCII dump. And I'm just going to show the beginning like this. And here you can see that it's actually the headers. And that's also why I only started to display the beginning because I don't want to disclose the email of the person who sent this to us. It's also Unicode. You can see that with the zeros here between the ASCII characters. But we will see how to decode this with another example. And that is as we look at stream for 53. Remember 53 was another stream. And here you can see also Unicode. So this looks like the body of the email. And indeed here that's the body of the email. It's Unicode. So I can translate this, decode this like this. And here now you can see the body of the email. So what I did here is trial and error to figure out to dig into the email to try to find what I need to know. But there is also a method that can be followed. And it's the following. All those hexadecimal numbers here actually indicate what is contained in the different streams. And you can look that up. But I wrote a plugin, plugin MSG, so with option P I can load the plugin. And this will help us understand this. Now I'm also going to pipe this into a function, a Python program that will anonymize some of the metadata like this. And now you can see that all the streams are listed. But then here also that each time the plugin run and that you get information from the plugin. For example here streamter3 that we suspected to contain the attachment, indeed it contains the attachment. So this code here hexadecimal 3701 find it back here and the output from the plugin 3701 that is attachment data. So 3701 stands for attachment data. And 0102 indicates that this is binary data. And here I also output the beginning of the stream content and you can see that it's RAR exclamation mark. So this is probably an archive in RAR format. Here another stream 3704 that is the file name of the attachment. So dsl underscore 6526.RAR also in Unicode. Here is a long file name also Unicode pdf.z.RAR that's the extension. So you get a lot of data like this. Now to make it a bit more condensed this information you can use option Q quiet. And this instructs only dump just to output the results of the plugin and nothing more. You see like this it's a bit more condensed. So here we can quickly see for example the sender email. The name of the recipients Carlos Almed Carlos frequently sends us samples. So thank you Carlos for that. The subject here dhl documents urgent and all kinds of other information. You can even condense this more because you can see here some of the streams have question marks. And that's because the code here like 0071 it's not the code that I know. So the plugin will then not be able to say what content is and it is unknown question mark that's the indication for unknown content. And you can also filter that out with a plugin option. So that's an option that we are going to pass to the plugin. And you do that with plugin options. And then option K for known data. And I have to surround this in double quotes here so that it is passed here on so I made the typo options so that it is passed on to the plugin and not to only dump like this. And then you get a very succinct overview of what can be found in this email. All the known information everything is unique code here. What type it is not everything here you have binary data and all the information.