Back to Details

email-forensics

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Email Forensics

电子邮件取证

Comprehensive email forensics skill for analyzing email messages, mailbox archives, and email metadata. Enables investigation of phishing attacks, business email compromise (BEC), email spoofing, and extraction of forensically valuable artifacts from email data.
一款全面的电子邮件取证工具,用于分析电子邮件消息、邮箱归档及邮件元数据。可用于调查网络钓鱼攻击、企业邮箱入侵(BEC)、邮件伪造,并从邮件数据中提取具有取证价值的信息。

Capabilities

功能特性

  • Mailbox Parsing: Parse PST, OST, MBOX, EML, and MSG files
  • Header Analysis: Deep analysis of email headers and routing
  • Attachment Extraction: Extract and analyze email attachments
  • Phishing Detection: Identify phishing indicators and techniques
  • Spoofing Detection: Detect email spoofing and impersonation
  • Link Analysis: Extract and analyze URLs in email content
  • Timeline Generation: Create email-based communication timeline
  • Thread Reconstruction: Rebuild email conversation threads
  • Metadata Extraction: Extract sender, recipient, and routing metadata
  • Authentication Analysis: Analyze SPF, DKIM, and DMARC results
  • 邮箱解析:解析PST、OST、MBOX、EML和MSG文件
  • 邮件头分析:深度分析邮件头及路由信息
  • 附件提取:提取并分析邮件附件
  • 网络钓鱼检测:识别钓鱼攻击的指标与技术
  • 邮件伪造检测:检测邮件伪造与身份冒充
  • 链接分析:提取并分析邮件内容中的URL
  • 时间线生成:创建基于邮件的通信时间线
  • 对话线程重建:还原邮件对话线程
  • 元数据提取:提取发件人、收件人及路由元数据
  • 认证分析:分析SPF、DKIM和DMARC验证结果

Quick Start

快速开始

python
from email_forensics import EmailAnalyzer, MailboxParser, PhishingDetector
python
from email_forensics import EmailAnalyzer, MailboxParser, PhishingDetector

Parse mailbox file

Parse mailbox file

parser = MailboxParser("/evidence/mailbox.pst") emails = parser.get_all_messages()
parser = MailboxParser("/evidence/mailbox.pst") emails = parser.get_all_messages()

Analyze single email

Analyze single email

analyzer = EmailAnalyzer() analysis = analyzer.analyze_file("/evidence/suspicious.eml")
analyzer = EmailAnalyzer() analysis = analyzer.analyze_file("/evidence/suspicious.eml")

Detect phishing

Detect phishing

detector = PhishingDetector() results = detector.scan_email(analysis)
undefined
detector = PhishingDetector() results = detector.scan_email(analysis)
undefined

Usage

使用指南

Task 1: Mailbox Parsing

任务1:邮箱解析

Input: Mailbox file (PST, OST, MBOX)
Process:
  1. Load and validate mailbox file
  2. Parse folder structure
  3. Extract messages
  4. Index metadata
  5. Generate mailbox summary
Output: Parsed mailbox with message inventory
Example:
python
from email_forensics import MailboxParser
输入:邮箱文件(PST、OST、MBOX)
处理流程:
  1. 加载并验证邮箱文件
  2. 解析文件夹结构
  3. 提取邮件消息
  4. 建立元数据索引
  5. 生成邮箱摘要
输出:包含消息清单的解析后邮箱数据
示例:
python
from email_forensics import MailboxParser

Parse Outlook PST file

Parse Outlook PST file

parser = MailboxParser("/evidence/user_mailbox.pst")
parser = MailboxParser("/evidence/user_mailbox.pst")

Get mailbox info

Get mailbox info

info = parser.get_mailbox_info() print(f"Mailbox type: {info.format}") print(f"Total messages: {info.message_count}") print(f"Total folders: {info.folder_count}") print(f"Date range: {info.oldest_date} - {info.newest_date}")
info = parser.get_mailbox_info() print(f"Mailbox type: {info.format}") print(f"Total messages: {info.message_count}") print(f"Total folders: {info.folder_count}") print(f"Date range: {info.oldest_date} - {info.newest_date}")

List folders

List folders

folders = parser.get_folders() for folder in folders: print(f"Folder: {folder.name}") print(f" Path: {folder.path}") print(f" Messages: {folder.message_count}") print(f" Unread: {folder.unread_count}")
folders = parser.get_folders() for folder in folders: print(f"Folder: {folder.name}") print(f" Path: {folder.path}") print(f" Messages: {folder.message_count}") print(f" Unread: {folder.unread_count}")

Get messages from folder

Get messages from folder

inbox = parser.get_messages(folder_path="Inbox") for msg in inbox: print(f"[{msg.date}] From: {msg.sender}") print(f" Subject: {msg.subject}") print(f" To: {msg.recipients}") print(f" Has attachments: {msg.has_attachments}")
inbox = parser.get_messages(folder_path="Inbox") for msg in inbox: print(f"[{msg.date}] From: {msg.sender}") print(f" Subject: {msg.subject}") print(f" To: {msg.recipients}") print(f" Has attachments: {msg.has_attachments}")

Search messages

Search messages

results = parser.search( query="confidential", search_body=True, search_subject=True ) for r in results: print(f"Match: {r.subject}") print(f" Folder: {r.folder}") print(f" Match context: {r.context}")
results = parser.search( query="confidential", search_body=True, search_subject=True ) for r in results: print(f"Match: {r.subject}") print(f" Folder: {r.folder}") print(f" Match context: {r.context}")

Export messages

Export messages

parser.export_messages( folder_path="Inbox", output_dir="/evidence/exported/", format="eml" )
parser.export_messages( folder_path="Inbox", output_dir="/evidence/exported/", format="eml" )

Generate mailbox report

Generate mailbox report

parser.generate_report("/evidence/mailbox_report.html")
undefined
parser.generate_report("/evidence/mailbox_report.html")
undefined

Task 2: Email Header Analysis

任务2:邮件头分析

Input: Email message (EML, MSG, or raw headers)
Process:
  1. Parse all header fields
  2. Analyze routing path
  3. Verify authentication
  4. Detect anomalies
  5. Generate header analysis
Output: Comprehensive header analysis
Example:
python
from email_forensics import HeaderAnalyzer
输入:电子邮件消息(EML、MSG或原始邮件头)
处理流程:
  1. 解析所有邮件头字段
  2. 分析路由路径
  3. 验证认证信息
  4. 检测异常情况
  5. 生成邮件头分析报告
输出:全面的邮件头分析结果
示例:
python
from email_forensics import HeaderAnalyzer

Analyze email headers

Analyze email headers

analyzer = HeaderAnalyzer() analysis = analyzer.analyze_file("/evidence/suspicious.eml")
analyzer = HeaderAnalyzer() analysis = analyzer.analyze_file("/evidence/suspicious.eml")

Get basic headers

Get basic headers

print(f"From: {analysis.from_address}") print(f"To: {analysis.to_addresses}") print(f"Subject: {analysis.subject}") print(f"Date: {analysis.date}") print(f"Message-ID: {analysis.message_id}")
print(f"From: {analysis.from_address}") print(f"To: {analysis.to_addresses}") print(f"Subject: {analysis.subject}") print(f"Date: {analysis.date}") print(f"Message-ID: {analysis.message_id}")

Analyze routing path

Analyze routing path

routing = analysis.get_routing_path() for hop in routing: print(f"Hop {hop.number}:") print(f" From: {hop.from_server}") print(f" By: {hop.by_server}") print(f" Time: {hop.timestamp}") print(f" Delay: {hop.delay_seconds}s")
routing = analysis.get_routing_path() for hop in routing: print(f"Hop {hop.number}:") print(f" From: {hop.from_server}") print(f" By: {hop.by_server}") print(f" Time: {hop.timestamp}") print(f" Delay: {hop.delay_seconds}s")

Get authentication results

Get authentication results

auth = analysis.get_authentication() print(f"SPF: {auth.spf_result}") print(f" SPF domain: {auth.spf_domain}") print(f"DKIM: {auth.dkim_result}") print(f" DKIM domain: {auth.dkim_domain}") print(f"DMARC: {auth.dmarc_result}")
auth = analysis.get_authentication() print(f"SPF: {auth.spf_result}") print(f" SPF domain: {auth.spf_domain}") print(f"DKIM: {auth.dkim_result}") print(f" DKIM domain: {auth.dkim_domain}") print(f"DMARC: {auth.dmarc_result}")

Detect anomalies

Detect anomalies

anomalies = analysis.detect_anomalies() for a in anomalies: print(f"ANOMALY: {a.type}") print(f" Description: {a.description}") print(f" Severity: {a.severity}")
anomalies = analysis.detect_anomalies() for a in anomalies: print(f"ANOMALY: {a.type}") print(f" Description: {a.description}") print(f" Severity: {a.severity}")

Get original sender (envelope)

Get original sender (envelope)

envelope = analysis.get_envelope_info() print(f"Envelope From: {envelope.mail_from}") print(f"Envelope To: {envelope.rcpt_to}")
envelope = analysis.get_envelope_info() print(f"Envelope From: {envelope.mail_from}") print(f"Envelope To: {envelope.rcpt_to}")

Get X-headers

Get X-headers

x_headers = analysis.get_x_headers() for header, value in x_headers.items(): print(f"{header}: {value}")
x_headers = analysis.get_x_headers() for header, value in x_headers.items(): print(f"{header}: {value}")

Export analysis

Export analysis

analysis.export_report("/evidence/header_analysis.html")
undefined
analysis.export_report("/evidence/header_analysis.html")
undefined

Task 3: Phishing Detection

任务3:网络钓鱼检测

Input: Email message
Process:
  1. Analyze sender authenticity
  2. Check URLs for malicious indicators
  3. Analyze attachment risks
  4. Detect social engineering
  5. Calculate risk score
Output: Phishing analysis with risk assessment
Example:
python
from email_forensics import PhishingDetector, EmailAnalyzer
输入:电子邮件消息
处理流程:
  1. 分析发件人真实性
  2. 检查URL是否包含恶意指标
  3. 分析附件风险
  4. 检测社会工程学手段
  5. 计算风险评分
输出:包含风险评估的钓鱼攻击分析结果
示例:
python
from email_forensics import PhishingDetector, EmailAnalyzer

Initialize detector

Initialize detector

detector = PhishingDetector()
detector = PhishingDetector()

Analyze email

Analyze email

analyzer = EmailAnalyzer() email = analyzer.parse_file("/evidence/suspicious.eml")
analyzer = EmailAnalyzer() email = analyzer.parse_file("/evidence/suspicious.eml")

Run phishing detection

Run phishing detection

result = detector.analyze(email)
print(f"Risk Score: {result.risk_score}/100") print(f"Classification: {result.classification}") print(f"Confidence: {result.confidence}")
result = detector.analyze(email)
print(f"Risk Score: {result.risk_score}/100") print(f"Classification: {result.classification}") print(f"Confidence: {result.confidence}")

Get indicators

Get indicators

for indicator in result.indicators: print(f"INDICATOR: {indicator.type}") print(f" Description: {indicator.description}") print(f" Weight: {indicator.weight}") print(f" Evidence: {indicator.evidence}")
for indicator in result.indicators: print(f"INDICATOR: {indicator.type}") print(f" Description: {indicator.description}") print(f" Weight: {indicator.weight}") print(f" Evidence: {indicator.evidence}")

Check sender authenticity

Check sender authenticity

sender = result.sender_analysis print(f"Sender: {sender.display_name} <{sender.address}>") print(f" Display name mismatch: {sender.display_name_mismatch}") print(f" Domain reputation: {sender.domain_reputation}") print(f" First-time sender: {sender.first_time_sender}")
sender = result.sender_analysis print(f"Sender: {sender.display_name} <{sender.address}>") print(f" Display name mismatch: {sender.display_name_mismatch}") print(f" Domain reputation: {sender.domain_reputation}") print(f" First-time sender: {sender.first_time_sender}")

Analyze URLs

Analyze URLs

for url in result.url_analysis: print(f"URL: {url.url}") print(f" Domain: {url.domain}") print(f" Display text: {url.display_text}") print(f" Mismatch: {url.text_url_mismatch}") print(f" Shortened: {url.is_shortened}") print(f" Risk: {url.risk_level}")
for url in result.url_analysis: print(f"URL: {url.url}") print(f" Domain: {url.domain}") print(f" Display text: {url.display_text}") print(f" Mismatch: {url.text_url_mismatch}") print(f" Shortened: {url.is_shortened}") print(f" Risk: {url.risk_level}")

Check attachments

Check attachments

for att in result.attachment_analysis: print(f"Attachment: {att.filename}") print(f" Type: {att.content_type}") print(f" Risk: {att.risk_level}") print(f" Double extension: {att.has_double_extension}")
for att in result.attachment_analysis: print(f"Attachment: {att.filename}") print(f" Type: {att.content_type}") print(f" Risk: {att.risk_level}") print(f" Double extension: {att.has_double_extension}")

Export report

Export report

detector.generate_report(result, "/evidence/phishing_report.html")
undefined
detector.generate_report(result, "/evidence/phishing_report.html")
undefined

Task 4: Attachment Analysis

任务4:附件分析

Input: Email with attachments
Process:
  1. Extract all attachments
  2. Identify file types
  3. Calculate hashes
  4. Check for malware indicators
  5. Extract metadata
Output: Attachment analysis with extracted files
Example:
python
from email_forensics import AttachmentAnalyzer
输入:包含附件的电子邮件
处理流程:
  1. 提取所有附件
  2. 识别文件类型
  3. 计算哈希值
  4. 检查恶意软件指标
  5. 提取元数据
输出:包含提取文件的附件分析结果
示例:
python
from email_forensics import AttachmentAnalyzer

Initialize analyzer

Initialize analyzer

analyzer = AttachmentAnalyzer()
analyzer = AttachmentAnalyzer()

Extract from single email

Extract from single email

attachments = analyzer.extract_from_email( email_path="/evidence/email.eml", output_dir="/evidence/attachments/" )
for att in attachments: print(f"Attachment: {att.filename}") print(f" Content-Type: {att.content_type}") print(f" Size: {att.size}") print(f" MD5: {att.md5}") print(f" SHA256: {att.sha256}") print(f" Detected type: {att.detected_type}") print(f" Type mismatch: {att.type_mismatch}") print(f" Extracted to: {att.output_path}")
attachments = analyzer.extract_from_email( email_path="/evidence/email.eml", output_dir="/evidence/attachments/" )
for att in attachments: print(f"Attachment: {att.filename}") print(f" Content-Type: {att.content_type}") print(f" Size: {att.size}") print(f" MD5: {att.md5}") print(f" SHA256: {att.sha256}") print(f" Detected type: {att.detected_type}") print(f" Type mismatch: {att.type_mismatch}") print(f" Extracted to: {att.output_path}")

Analyze specific attachment

Analyze specific attachment

detailed = analyzer.analyze_file("/evidence/attachments/document.pdf") print(f"Metadata: {detailed.metadata}") print(f"Embedded objects: {detailed.embedded_objects}") print(f"Scripts: {detailed.contains_scripts}") print(f"Macros: {detailed.contains_macros}")
detailed = analyzer.analyze_file("/evidence/attachments/document.pdf") print(f"Metadata: {detailed.metadata}") print(f"Embedded objects: {detailed.embedded_objects}") print(f"Scripts: {detailed.contains_scripts}") print(f"Macros: {detailed.contains_macros}")

Extract from mailbox

Extract from mailbox

mailbox_attachments = analyzer.extract_from_mailbox( mailbox_path="/evidence/mailbox.pst", output_dir="/evidence/all_attachments/", filter_types=["application/pdf", "application/msword"] )
mailbox_attachments = analyzer.extract_from_mailbox( mailbox_path="/evidence/mailbox.pst", output_dir="/evidence/all_attachments/", filter_types=["application/pdf", "application/msword"] )

Find suspicious attachments

Find suspicious attachments

suspicious = analyzer.find_suspicious(attachments) for s in suspicious: print(f"SUSPICIOUS: {s.filename}") print(f" Reason: {s.reason}")
suspicious = analyzer.find_suspicious(attachments) for s in suspicious: print(f"SUSPICIOUS: {s.filename}") print(f" Reason: {s.reason}")

Check against malware hashes

Check against malware hashes

malware = analyzer.check_malware_hashes("/hashsets/malware.txt")
malware = analyzer.check_malware_hashes("/hashsets/malware.txt")

Generate attachment report

Generate attachment report

analyzer.generate_report("/evidence/attachment_report.html")
undefined
analyzer.generate_report("/evidence/attachment_report.html")
undefined

Task 5: Email Timeline Creation

任务5:邮件时间线创建

Input: Mailbox or collection of emails
Process:
  1. Parse all messages
  2. Extract timestamps
  3. Build chronological timeline
  4. Identify communication patterns
  5. Visualize activity
Output: Email communication timeline
Example:
python
from email_forensics import EmailTimeline
输入:邮箱或邮件集合
处理流程:
  1. 解析所有邮件消息
  2. 提取时间戳
  3. 构建按时间顺序排列的时间线
  4. 识别通信模式
  5. 可视化活动情况
输出:电子邮件通信时间线
示例:
python
from email_forensics import EmailTimeline

Initialize timeline

Initialize timeline

timeline = EmailTimeline()
timeline = EmailTimeline()

Add email sources

Add email sources

timeline.add_mailbox("/evidence/user1.pst") timeline.add_mailbox("/evidence/user2.pst") timeline.add_folder("/evidence/exported_emails/")
timeline.add_mailbox("/evidence/user1.pst") timeline.add_mailbox("/evidence/user2.pst") timeline.add_folder("/evidence/exported_emails/")

Build timeline

Build timeline

events = timeline.build()
for event in events: print(f"[{event.timestamp}] {event.direction}") print(f" From: {event.sender}") print(f" To: {event.recipients}") print(f" Subject: {event.subject}")
events = timeline.build()
for event in events: print(f"[{event.timestamp}] {event.direction}") print(f" From: {event.sender}") print(f" To: {event.recipients}") print(f" Subject: {event.subject}")

Filter by date range

Filter by date range

filtered = timeline.filter_by_date( start="2024-01-01", end="2024-01-31" )
filtered = timeline.filter_by_date( start="2024-01-01", end="2024-01-31" )

Filter by participants

Filter by participants

participant_emails = timeline.filter_by_participant("suspect@example.com")
participant_emails = timeline.filter_by_participant("suspect@example.com")

Get communication patterns

Get communication patterns

patterns = timeline.analyze_patterns() print(f"Total messages: {patterns.total_messages}") print(f"Unique senders: {patterns.unique_senders}") print(f"Unique recipients: {patterns.unique_recipients}") print(f"Peak hours: {patterns.peak_hours}") print(f"Top correspondents: {patterns.top_correspondents}")
patterns = timeline.analyze_patterns() print(f"Total messages: {patterns.total_messages}") print(f"Unique senders: {patterns.unique_senders}") print(f"Unique recipients: {patterns.unique_recipients}") print(f"Peak hours: {patterns.peak_hours}") print(f"Top correspondents: {patterns.top_correspondents}")

Detect anomalies

Detect anomalies

anomalies = timeline.detect_anomalies() for a in anomalies: print(f"ANOMALY: {a.description}") print(f" Time: {a.timestamp}")
anomalies = timeline.detect_anomalies() for a in anomalies: print(f"ANOMALY: {a.description}") print(f" Time: {a.timestamp}")

Export timeline

Export timeline

timeline.export_csv("/evidence/email_timeline.csv") timeline.generate_visualization("/evidence/email_timeline.html")
undefined
timeline.export_csv("/evidence/email_timeline.csv") timeline.generate_visualization("/evidence/email_timeline.html")
undefined

Task 6: Email Thread Reconstruction

任务6:邮件对话线程重建

Input: Email messages
Process:
  1. Group by conversation
  2. Analyze In-Reply-To headers
  3. Build thread hierarchy
  4. Identify missing messages
  5. Reconstruct full threads
Output: Reconstructed email threads
Example:
python
from email_forensics import ThreadReconstructor
输入:电子邮件消息
处理流程:
  1. 按对话分组
  2. 分析In-Reply-To邮件头
  3. 构建线程层级结构
  4. 识别缺失的消息
  5. 还原完整对话线程
输出:还原后的邮件对话线程
示例:
python
from email_forensics import ThreadReconstructor

Initialize reconstructor

Initialize reconstructor

reconstructor = ThreadReconstructor()
reconstructor = ThreadReconstructor()

Load emails

Load emails

reconstructor.load_mailbox("/evidence/mailbox.pst")
reconstructor.load_mailbox("/evidence/mailbox.pst")

Reconstruct all threads

Reconstruct all threads

threads = reconstructor.reconstruct_all()
for thread in threads: print(f"Thread: {thread.subject}") print(f" Messages: {thread.message_count}") print(f" Participants: {thread.participants}") print(f" Duration: {thread.start_date} - {thread.end_date}") print(f" Complete: {thread.is_complete}")
# Print thread hierarchy
for msg in thread.messages:
    indent = "  " * msg.depth
    print(f"{indent}[{msg.date}] {msg.sender}: {msg.subject}")
threads = reconstructor.reconstruct_all()
for thread in threads: print(f"Thread: {thread.subject}") print(f" Messages: {thread.message_count}") print(f" Participants: {thread.participants}") print(f" Duration: {thread.start_date} - {thread.end_date}") print(f" Complete: {thread.is_complete}")
# Print thread hierarchy
for msg in thread.messages:
    indent = "  " * msg.depth
    print(f"{indent}[{msg.date}] {msg.sender}: {msg.subject}")

Find specific thread

Find specific thread

thread = reconstructor.find_thread(subject_contains="Project Alpha")
thread = reconstructor.find_thread(subject_contains="Project Alpha")

Find threads with missing messages

Find threads with missing messages

incomplete = reconstructor.find_incomplete_threads() for t in incomplete: print(f"Incomplete: {t.subject}") print(f" Missing IDs: {t.missing_message_ids}")
incomplete = reconstructor.find_incomplete_threads() for t in incomplete: print(f"Incomplete: {t.subject}") print(f" Missing IDs: {t.missing_message_ids}")

Export threads

Export threads

reconstructor.export_threads( output_dir="/evidence/threads/", format="mbox" )
reconstructor.export_threads( output_dir="/evidence/threads/", format="mbox" )

Generate thread report

Generate thread report

reconstructor.generate_report("/evidence/threads_report.html")
undefined
reconstructor.generate_report("/evidence/threads_report.html")
undefined

Task 7: Spoofing Detection

任务7:邮件伪造检测

Input: Email message
Process:
  1. Verify sender headers
  2. Check authentication records
  3. Analyze display name tricks
  4. Compare envelope vs header
  5. Detect impersonation
Output: Spoofing analysis results
Example:
python
from email_forensics import SpoofingDetector
输入:电子邮件消息
处理流程:
  1. 验证发件人邮件头
  2. 检查认证记录
  3. 分析显示名称欺诈手段
  4. 对比信封信息与邮件头
  5. 检测身份冒充
输出:邮件伪造分析结果
示例:
python
from email_forensics import SpoofingDetector

Initialize detector

Initialize detector

detector = SpoofingDetector()
detector = SpoofingDetector()

Analyze email

Analyze email

result = detector.analyze_file("/evidence/suspicious.eml")
print(f"Spoofing detected: {result.is_spoofed}") print(f"Confidence: {result.confidence}")
result = detector.analyze_file("/evidence/suspicious.eml")
print(f"Spoofing detected: {result.is_spoofed}") print(f"Confidence: {result.confidence}")

Header vs Envelope analysis

Header vs Envelope analysis

print(f"Header From: {result.header_from}") print(f"Envelope From: {result.envelope_from}") print(f"Mismatch: {result.from_mismatch}")
print(f"Header From: {result.header_from}") print(f"Envelope From: {result.envelope_from}") print(f"Mismatch: {result.from_mismatch}")

Display name analysis

Display name analysis

display = result.display_name_analysis print(f"Display Name: {display.name}") print(f"Homograph attack: {display.homograph_detected}") print(f"Executive impersonation: {display.executive_impersonation}") print(f"Brand impersonation: {display.brand_impersonation}")
display = result.display_name_analysis print(f"Display Name: {display.name}") print(f"Homograph attack: {display.homograph_detected}") print(f"Executive impersonation: {display.executive_impersonation}") print(f"Brand impersonation: {display.brand_impersonation}")

Authentication analysis

Authentication analysis

auth = result.authentication_analysis print(f"SPF Pass: {auth.spf_pass}") print(f"DKIM Pass: {auth.dkim_pass}") print(f"DMARC Pass: {auth.dmarc_pass}")
auth = result.authentication_analysis print(f"SPF Pass: {auth.spf_pass}") print(f"DKIM Pass: {auth.dkim_pass}") print(f"DMARC Pass: {auth.dmarc_pass}")

Reply-To analysis

Reply-To analysis

reply_to = result.reply_to_analysis print(f"Reply-To: {reply_to.address}") print(f"Reply-To differs from From: {reply_to.differs_from_sender}")
reply_to = result.reply_to_analysis print(f"Reply-To: {reply_to.address}") print(f"Reply-To differs from From: {reply_to.differs_from_sender}")

Get all indicators

Get all indicators

for indicator in result.indicators: print(f"INDICATOR: {indicator.name}") print(f" Evidence: {indicator.evidence}") print(f" Severity: {indicator.severity}")
for indicator in result.indicators: print(f"INDICATOR: {indicator.name}") print(f" Evidence: {indicator.evidence}") print(f" Severity: {indicator.severity}")

Export report

Export report

detector.generate_report(result, "/evidence/spoofing_analysis.html")
undefined
detector.generate_report(result, "/evidence/spoofing_analysis.html")
undefined

Task 8: Link Analysis

任务8:链接分析

Input: Email content
Process:
  1. Extract all URLs
  2. Analyze URL components
  3. Check against threat intel
  4. Detect URL obfuscation
  5. Identify redirect chains
Output: URL analysis results
Example:
python
from email_forensics import LinkAnalyzer
输入:电子邮件内容
处理流程:
  1. 提取所有URL
  2. 分析URL组件
  3. 对照威胁情报进行检查
  4. 检测URL混淆手段
  5. 识别重定向链
输出:URL分析结果
示例:
python
from email_forensics import LinkAnalyzer

Initialize analyzer

Initialize analyzer

analyzer = LinkAnalyzer()
analyzer = LinkAnalyzer()

Extract links from email

Extract links from email

links = analyzer.extract_from_email("/evidence/email.eml")
for link in links: print(f"URL: {link.url}") print(f" Display text: {link.display_text}") print(f" Domain: {link.domain}") print(f" TLD: {link.tld}") print(f" Text matches URL: {link.text_matches_url}") print(f" Is shortened: {link.is_shortened}") print(f" Is IP-based: {link.is_ip_based}") print(f" Risk score: {link.risk_score}")
links = analyzer.extract_from_email("/evidence/email.eml")
for link in links: print(f"URL: {link.url}") print(f" Display text: {link.display_text}") print(f" Domain: {link.domain}") print(f" TLD: {link.tld}") print(f" Text matches URL: {link.text_matches_url}") print(f" Is shortened: {link.is_shortened}") print(f" Is IP-based: {link.is_ip_based}") print(f" Risk score: {link.risk_score}")

Unshorten URLs

Unshorten URLs

unshortened = analyzer.unshorten_urls(links) for u in unshortened: print(f"Short: {u.short_url}") print(f"Final: {u.final_url}") print(f"Redirects: {u.redirect_count}")
unshortened = analyzer.unshorten_urls(links) for u in unshortened: print(f"Short: {u.short_url}") print(f"Final: {u.final_url}") print(f"Redirects: {u.redirect_count}")

Check against threat intelligence

Check against threat intelligence

threats = analyzer.check_threat_intel( links, feed_path="/feeds/malicious_urls.txt" ) for t in threats: print(f"THREAT: {t.url}") print(f" Category: {t.category}") print(f" Source: {t.intel_source}")
threats = analyzer.check_threat_intel( links, feed_path="/feeds/malicious_urls.txt" ) for t in threats: print(f"THREAT: {t.url}") print(f" Category: {t.category}") print(f" Source: {t.intel_source}")

Detect URL obfuscation

Detect URL obfuscation

obfuscated = analyzer.detect_obfuscation(links) for o in obfuscated: print(f"OBFUSCATED: {o.url}") print(f" Technique: {o.obfuscation_type}") print(f" Decoded: {o.decoded_url}")
obfuscated = analyzer.detect_obfuscation(links) for o in obfuscated: print(f"OBFUSCATED: {o.url}") print(f" Technique: {o.obfuscation_type}") print(f" Decoded: {o.decoded_url}")

Analyze link destinations (safe fetch)

Analyze link destinations (safe fetch)

destinations = analyzer.analyze_destinations(links, safe_mode=True)
destinations = analyzer.analyze_destinations(links, safe_mode=True)

Export link analysis

Export link analysis

analyzer.generate_report("/evidence/link_analysis.html")
undefined
analyzer.generate_report("/evidence/link_analysis.html")
undefined

Task 9: Business Email Compromise Analysis

任务9:企业邮箱入侵分析

Input: Email or mailbox
Process:
  1. Identify BEC indicators
  2. Detect urgency language
  3. Analyze financial requests
  4. Check sender legitimacy
  5. Score BEC probability
Output: BEC analysis results
Example:
python
from email_forensics import BECDetector
输入:电子邮件或邮箱
处理流程:
  1. 识别BEC攻击指标
  2. 检测紧急语气词汇
  3. 分析财务请求
  4. 检查发件人合法性
  5. 计算BEC攻击概率评分
输出:BEC攻击分析结果
示例:
python
from email_forensics import BECDetector

Initialize BEC detector

Initialize BEC detector

detector = BECDetector()
detector = BECDetector()

Analyze single email

Analyze single email

result = detector.analyze_email("/evidence/wire_request.eml")
print(f"BEC Score: {result.bec_score}/100") print(f"Classification: {result.classification}")
result = detector.analyze_email("/evidence/wire_request.eml")
print(f"BEC Score: {result.bec_score}/100") print(f"Classification: {result.classification}")

Check BEC indicators

Check BEC indicators

for indicator in result.indicators: print(f"INDICATOR: {indicator.type}") print(f" Description: {indicator.description}") print(f" Evidence: {indicator.evidence}") print(f" Weight: {indicator.weight}")
for indicator in result.indicators: print(f"INDICATOR: {indicator.type}") print(f" Description: {indicator.description}") print(f" Evidence: {indicator.evidence}") print(f" Weight: {indicator.weight}")

Language analysis

Language analysis

language = result.language_analysis print(f"Urgency detected: {language.urgency_score}") print(f"Authority claims: {language.authority_score}") print(f"Financial keywords: {language.financial_keywords}") print(f"Secrecy requests: {language.secrecy_score}")
language = result.language_analysis print(f"Urgency detected: {language.urgency_score}") print(f"Authority claims: {language.authority_score}") print(f"Financial keywords: {language.financial_keywords}") print(f"Secrecy requests: {language.secrecy_score}")

Sender analysis

Sender analysis

sender = result.sender_analysis print(f"Claimed identity: {sender.claimed_identity}") print(f"Actual sender: {sender.actual_address}") print(f"Executive impersonation: {sender.executive_impersonation}")
sender = result.sender_analysis print(f"Claimed identity: {sender.claimed_identity}") print(f"Actual sender: {sender.actual_address}") print(f"Executive impersonation: {sender.executive_impersonation}")

Request analysis

Request analysis

request = result.request_analysis print(f"Action requested: {request.action}") print(f"Amount mentioned: {request.amount}") print(f"Account details: {request.has_account_details}") print(f"Wire transfer request: {request.wire_transfer}")
request = result.request_analysis print(f"Action requested: {request.action}") print(f"Amount mentioned: {request.amount}") print(f"Account details: {request.has_account_details}") print(f"Wire transfer request: {request.wire_transfer}")

Scan mailbox for BEC

Scan mailbox for BEC

mailbox_results = detector.scan_mailbox("/evidence/mailbox.pst") for r in mailbox_results.high_risk: print(f"HIGH RISK: {r.subject}") print(f" BEC Score: {r.bec_score}")
mailbox_results = detector.scan_mailbox("/evidence/mailbox.pst") for r in mailbox_results.high_risk: print(f"HIGH RISK: {r.subject}") print(f" BEC Score: {r.bec_score}")

Generate BEC report

Generate BEC report

detector.generate_report("/evidence/bec_analysis.html")
undefined
detector.generate_report("/evidence/bec_analysis.html")
undefined

Task 10: Email Search and Export

任务10:邮件搜索与导出

Input: Mailbox file or email collection
Process:
  1. Index email content
  2. Execute search queries
  3. Filter results
  4. Export matches
  5. Generate search report
Output: Search results with exported emails
Example:
python
from email_forensics import EmailSearcher
输入:邮箱文件或邮件集合
处理流程:
  1. 为邮件内容建立索引
  2. 执行搜索查询
  3. 过滤搜索结果
  4. 导出匹配的邮件
  5. 生成搜索报告
输出:包含导出邮件的搜索结果
示例:
python
from email_forensics import EmailSearcher

Initialize searcher

Initialize searcher

searcher = EmailSearcher("/evidence/mailbox.pst")
searcher = EmailSearcher("/evidence/mailbox.pst")

Build search index

Build search index

searcher.build_index()
searcher.build_index()

Search by keywords

Search by keywords

results = searcher.search( query="confidential project", search_body=True, search_subject=True, search_attachments=True )
for r in results: print(f"Match: {r.subject}") print(f" From: {r.sender}") print(f" Date: {r.date}") print(f" Score: {r.relevance_score}") print(f" Snippet: {r.snippet}")
results = searcher.search( query="confidential project", search_body=True, search_subject=True, search_attachments=True )
for r in results: print(f"Match: {r.subject}") print(f" From: {r.sender}") print(f" Date: {r.date}") print(f" Score: {r.relevance_score}") print(f" Snippet: {r.snippet}")

Search by sender

Search by sender

sender_emails = searcher.search_by_sender("suspicious@example.com")
sender_emails = searcher.search_by_sender("suspicious@example.com")

Search by date range

Search by date range

date_range = searcher.search_by_date( start="2024-01-01", end="2024-01-31" )
date_range = searcher.search_by_date( start="2024-01-01", end="2024-01-31" )

Search by attachment name

Search by attachment name

with_attachments = searcher.search_by_attachment( filename_pattern="*.pdf" )
with_attachments = searcher.search_by_attachment( filename_pattern="*.pdf" )

Complex query

Complex query

complex_results = searcher.advanced_search( sender_contains="@example.com", subject_contains="wire transfer", date_after="2024-01-01", has_attachments=True )
complex_results = searcher.advanced_search( sender_contains="@example.com", subject_contains="wire transfer", date_after="2024-01-01", has_attachments=True )

Export search results

Export search results

searcher.export_results( results, output_dir="/evidence/search_results/", format="eml", include_attachments=True )
searcher.export_results( results, output_dir="/evidence/search_results/", format="eml", include_attachments=True )

Generate search report

Generate search report

searcher.generate_report("/evidence/search_report.html")
undefined
searcher.generate_report("/evidence/search_report.html")
undefined

Configuration

配置

Environment Variables

环境变量

VariableDescriptionRequiredDefault
EMAIL_PARSER
Path to email parsing libraryNoBuilt-in
THREAT_INTEL_FEED
URL threat intelligence feedNoNone
VT_API_KEY
VirusTotal API keyNoNone
SAFE_BROWSE_KEY
Google Safe Browsing API keyNoNone
变量描述是否必填默认值
EMAIL_PARSER
邮件解析库路径内置库
THREAT_INTEL_FEED
URL威胁情报源
VT_API_KEY
VirusTotal API密钥
SAFE_BROWSE_KEY
Google安全浏览API密钥

Options

选项

OptionTypeDescription
extract_attachments
booleanAuto-extract attachments
decode_mime
booleanDecode MIME-encoded content
parse_html
booleanParse HTML email bodies
safe_url_check
booleanSafe URL verification
parallel
booleanEnable parallel processing
选项类型描述
extract_attachments
布尔值自动提取附件
decode_mime
布尔值解码MIME编码内容
parse_html
布尔值解析HTML邮件正文
safe_url_check
布尔值安全URL验证
parallel
布尔值启用并行处理

Examples

示例场景

Example 1: Phishing Campaign Investigation

示例1:钓鱼攻击活动调查

Scenario: Investigating a phishing campaign targeting the organization
python
from email_forensics import MailboxParser, PhishingDetector
场景:调查针对组织的钓鱼攻击活动
python
from email_forensics import MailboxParser, PhishingDetector

Parse quarantined emails

Parse quarantined emails

parser = MailboxParser("/evidence/quarantine.pst") emails = parser.get_all_messages()
parser = MailboxParser("/evidence/quarantine.pst") emails = parser.get_all_messages()

Initialize phishing detector

Initialize phishing detector

detector = PhishingDetector()
detector = PhishingDetector()

Analyze all emails

Analyze all emails

phishing_emails = [] for email in emails: result = detector.analyze(email) if result.risk_score > 70: phishing_emails.append(result) print(f"PHISHING: {email.subject}") print(f" Risk: {result.risk_score}") print(f" Indicators: {len(result.indicators)}")
phishing_emails = [] for email in emails: result = detector.analyze(email) if result.risk_score > 70: phishing_emails.append(result) print(f"PHISHING: {email.subject}") print(f" Risk: {result.risk_score}") print(f" Indicators: {len(result.indicators)}")

Extract IOCs from phishing emails

Extract IOCs from phishing emails

iocs = detector.extract_iocs(phishing_emails) print(f"Malicious URLs: {len(iocs.urls)}") print(f"Sender addresses: {len(iocs.senders)}")
iocs = detector.extract_iocs(phishing_emails) print(f"Malicious URLs: {len(iocs.urls)}") print(f"Sender addresses: {len(iocs.senders)}")

Generate campaign report

Generate campaign report

detector.generate_campaign_report(phishing_emails, "/evidence/phishing_campaign.html")
undefined
detector.generate_campaign_report(phishing_emails, "/evidence/phishing_campaign.html")
undefined

Example 2: BEC Incident Investigation

示例2:企业邮箱入侵事件调查

Scenario: Investigating potential business email compromise
python
from email_forensics import BECDetector, EmailTimeline, SpoofingDetector
场景:调查潜在的企业邮箱入侵事件
python
from email_forensics import BECDetector, EmailTimeline, SpoofingDetector

Analyze the suspicious request email

Analyze the suspicious request email

bec = BECDetector() result = bec.analyze_email("/evidence/wire_request.eml")
print(f"BEC Score: {result.bec_score}") print(f"Financial request: {result.request_analysis.wire_transfer}")
bec = BECDetector() result = bec.analyze_email("/evidence/wire_request.eml")
print(f"BEC Score: {result.bec_score}") print(f"Financial request: {result.request_analysis.wire_transfer}")

Check for spoofing

Check for spoofing

spoof = SpoofingDetector() spoof_result = spoof.analyze_file("/evidence/wire_request.eml") print(f"Spoofed: {spoof_result.is_spoofed}")
spoof = SpoofingDetector() spoof_result = spoof.analyze_file("/evidence/wire_request.eml") print(f"Spoofed: {spoof_result.is_spoofed}")

Build communication timeline

Build communication timeline

timeline = EmailTimeline() timeline.add_mailbox("/evidence/cfo_mailbox.pst") timeline.add_mailbox("/evidence/finance_mailbox.pst")
timeline = EmailTimeline() timeline.add_mailbox("/evidence/cfo_mailbox.pst") timeline.add_mailbox("/evidence/finance_mailbox.pst")

Find related emails

Find related emails

related = timeline.filter_by_participant(result.sender_analysis.actual_address) print(f"Related emails from sender: {len(related)}")
undefined
related = timeline.filter_by_participant(result.sender_analysis.actual_address) print(f"Related emails from sender: {len(related)}")
undefined

Limitations

局限性

  • Large mailboxes may require significant processing time
  • Encrypted emails require decryption keys
  • Some proprietary formats may have limited support
  • URL analysis requires network access for verification
  • Attachment analysis depends on file type support
  • BEC detection may have false positives
  • Header analysis accuracy depends on email preservation
  • 大型邮箱可能需要大量处理时间
  • 加密邮件需要解密密钥
  • 部分专有格式的支持有限
  • URL分析需要网络访问权限以完成验证
  • 附件分析依赖于文件类型支持
  • BEC检测可能存在误报
  • 邮件头分析的准确性取决于邮件的保存完整性

Troubleshooting

故障排除

Common Issue 1: PST File Corruption

常见问题1:PST文件损坏

Problem: Unable to parse PST file Solution:
  • Use PST repair tools before analysis
  • Try different parsing libraries
  • Extract individual messages if possible
问题:无法解析PST文件 解决方案:
  • 分析前使用PST修复工具
  • 尝试不同的解析库
  • 尽可能提取单个邮件消息

Common Issue 2: Encoded Content Not Decoded

常见问题2:编码内容未解码

Problem: Email body appears as encoded text Solution:
  • Enable MIME decoding
  • Check for unusual character encodings
  • Try different decoding methods
问题:邮件正文显示为编码文本 解决方案:
  • 启用MIME解码
  • 检查异常字符编码
  • 尝试不同的解码方法

Common Issue 3: Missing Attachments

常见问题3:附件缺失

Problem: Attachments not extracted Solution:
  • Check attachment size limits
  • Verify attachment format support
  • Look for inline attachments
问题:附件未被提取 解决方案:
  • 检查附件大小限制
  • 验证附件格式是否受支持
  • 查找内嵌附件

Related Skills

相关工具

  • network-forensics: Analyze email network traffic
  • browser-forensics: Webmail investigation
  • malware-forensics: Analyze malicious attachments
  • timeline-forensics: Integrate email timeline
  • log-forensics: Correlate with mail server logs
  • network-forensics: 分析邮件网络流量
  • browser-forensics: 网页邮箱调查
  • malware-forensics: 分析恶意附件
  • timeline-forensics: 整合邮件时间线
  • log-forensics: 与邮件服务器日志关联分析

References

参考资料

  • Email Forensics Reference
  • Email Header Analysis Guide
  • Phishing Detection Patterns
  • Email Forensics Reference
  • Email Header Analysis Guide
  • Phishing Detection Patterns