 Hello, I'm Didier Steven, senior handler with the InternetStorm Center. I showed you before here at the InternetStorm Center how to analyze Outlook message files, MSG files with my olidomp tool and a dedicated plugin, MSG. Now I made a new plugin for some research that I did and this plugin gives you summaries of emails, so let's look. So it's called plugin summary, a plugin MSG summary. I give it an MSG file and then I get output like this. So I see all the streams and at the end I see a summary. Now I can get rid of all those streams by using option Q quite. So then olidomp will not output any data, any results. It's only the plugin output that you see like this. So what we see here is that the header is in stream 42 and here are some pieces of data that I get out of the header. The body is in stream 54 and there is one attachment. It's in stream 3. It's an XLSM file, 95000 bytes and here is the SHA256 of that file. So now you know immediately that there is an attachment and it is in stream 3. So you can just dump olidomp, select stream 3 and dump it. And since I know that this here is an XLSM file or XML file with macros I can pipe this again in olidomp and then I can see the stream with macros of that attachment. Now the old plugin, so plugin MSG, that one would list you all the streams and then for each stream that there is produce output and that is because I had to create a new plugin to have this summary because it's a new type of plugin. I implemented for the research that I did, I implemented a new framework for plugins. So the existing framework for plugins will instantiate an object, instantiate the plugin for each stream. So each time that there is a stream you see that the plugin is running here, plugin MSG each time. And there is no data or information that can be transferred or shared between invocations here. And that has changed in the new plugin framework and the old one is still there, it's still supported, you can still use it and the plugins, the existing plugins still work but there is also a new plugin framework and that one instantiates the plugin, the object, each time for an OLE file. So not for every individual stream but for the complete OLE file. And so you can have a gathering of information and a summary for example at the end of the processing of all the streams. That plugin also comes with options. So plug in MSG summary, plug in options and if you give it option H you get help. So you will see what the different options are. Again here I get all the streams so let me use option quiet, queue. So you can print the body, print header and also produce JSON output. And those are the actual features of this plugin. So let's try that out. JSON, so you get the same type of output as you would get from the plugin but now in JSON format. You can also get the body. So you get the summary output and then here you see the body and the same for the headers, uppercase H and then here you have the headers. So to summarize all the dump, quite plug in summary 5. There is an attachment, a number of attachments starting from 0. The attachment is in stream index 3 and so you can extract it to find this with the first plugin that I made for MSG files. You actually have to take a close look at the output like this and here you can see bin attachment data. So this means that this is the stream that contains the attachment and for the name here you have to see uniatach file name and uniatach long file name. So you have different pieces of information here presented per stream with the new plugin that is all summarized in one output.