Tags: email forensic
Rating:
## Pt. 1
We get an email file (.eml) and the challenge is to find out what was deleted from the file...
```
Received: from 10.197.33.204...
Return-Path: <[email protected]>
X-Originating-Ip: [209.85.221.45]
Received-SPF: pass (domain of gmail.com designates 209.85.221.45 as permitted sender)
Authentication-Results: ...
X-Apparently-To: [email protected]; Fri, 15 Apr 2022 06:03:02 +0000
X-YMailISG: ...
Received: from 209.85.221.45...
Received: by mail-wr1-f45.google.com with SMTP id u3so9536261wrg.3...
DKIM-Signature: ...
X-Google-DKIM-Signature: ...
X-Google-Smtp-Source: ABdhPJyaUwECUfiVnHLMvCVoOGSDlrFjphDMOXwSo8pSUztrUcs+gK7lHOKWwReyKsHGHeQG13Psbc5aQ2asjRuWTvE=
X-Received: by 2002:a05:6000:1564:b0:20a:7727:27b0 with ...
MIME-Version: 1.0
From: crew ctf <[email protected]>
Date: Fri, 15 Apr 2022 08:02:49 +0200
Message-ID: <CAG+6dK2LBZJeWOCXgSp_JnxShdjjkuoXpcxp3ChSLQ6dfkUjZQ@mail.gmail.com>
Subject: Help me!
To: [email protected]
Content-Type: multipart/alternative; boundary="000000000000c0332a05dcab29d2"
Content-Length: 677
--000000000000c0332a05dcab29d2
Content-Type: text/plain; charset="UTF-8"
Hey, crushed kiwi I hate this loop of college, and I need your help. Can
you meet me at lost immediately?
--000000000000c0332a05dcab29d2
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
...
--000000000000c0332a05dcab29d2--
```
I realized that it has to be from a google email so I sent myself an email and compared both.
The `X-Gm-Message-State:` Header is missing!
This was the solution for the first part of the challenge.