Week-12 - Network Forensics Lab 2: Email Reconstruction
Aim
Reconstruct email communications from captured SMTP traffic. You will extract sender/recipient information, decode Base64-encoded credentials, and recover the full email content including attachments.
Learning Objectives
- Understand the SMTP protocol and how email is transmitted
- Identify email metadata in packet captures
- Decode Base64-encoded usernames and passwords
- Reconstruct complete email messages from network traffic
- Extract timestamps for forensic timelines
Resources Needed
- Wireshark
- Lab file:
smtp.pcap, you can find the file in you Cyberlab or you can download from here. - Python 3 (for Base64 decoding) or online Base64 decoder OR you can use this decoder https://www.base64decode.org
Background
RECAP: Simple Mail Transfer Protocol (SMTP)
SMTP is used for sending email across the Internet. It is a plain text protocol, meaning data is not encrypted by default.
| Port | Usage |
|---|---|
| 25 | Standard SMTP (unencrypted) |
| 587 | SMTP with STARTTLS |
| 465 | SMTPS (SMTP over SSL) |
SMTP Commands
| Command | Purpose |
|---|---|
| EHLO/HELO | Client greeting to server |
| AUTH LOGIN | Start authentication |
| MAIL FROM | Sender's email address |
| RCPT TO | Recipient's email address |
| DATA | Start of message content |
| QUIT | End session |
SMTP Response Codes
| Code | Meaning |
|---|---|
| 220 | Service ready |
| 235 | Authentication successful |
| 250 | OK / Command completed |
| 334 | Server challenge (Base64 encoded) |
| 354 | Start mail input |
Base64 Encoding
SMTP uses Base64 to encode credentials during AUTH LOGIN. Base64 is encoding, not encryption - it can be easily decoded. This is why unencrypted SMTP is a security risk.
Part A: Initial Traffic Analysis
Task 1: Open and Filter SMTP Traffic
- Open
smtp.pcapin Wireshark - Observe the packet list
Q1.1: How many packets are in this capture?
Your Answer: _______________________________________________
Click to reveal answer
Answer: 53 packets
Q1.2: What is the IP address of the email client?
Your Answer: _______________________________________________
Click to reveal answer
Answer: 10.10.1.4
Q1.3: What is the IP address of the mail server?
Your Answer: _______________________________________________
Click to reveal answer
Answer: 74.53.140.153
Q1.4: What port is used for SMTP communication?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Port 25
Task 2: Identify the Mail Server
- Find the first SMTP response packet (look for code 220 "Service ready")
- Examine the server's greeting message
Q2.1: What is the hostname of the mail server?
Your Answer: _______________________________________________
Click to reveal answer
Answer: xc90.websitewelcome.com
Q2.2: What mail software is the server running?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Exim 4.69
Q2.3: What warning does the server provide in its greeting?
Your Answer: _______________________________________________
Click to reveal answer
Answer: "We do not authorize the use of this system to transport unsolicited, and/or bulk e-mail."
Part B: Authentication Analysis
Task 3: Find the Authentication Sequence
- Look for the AUTH LOGIN command from the client
- Examine the server's responses (334 codes) and client's replies
Q3.1: What authentication method is used?
Your Answer: _______________________________________________
Click to reveal answer
Answer: AUTH LOGIN
Q3.2: What packet number contains the AUTH LOGIN command?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Packet 10
Q3.3: The server responds with a 334 code and a Base64 challenge. What is the Base64 string in the server's first challenge?
Your Answer: _______________________________________________
Click to reveal answer
Answer: VXNlcm5hbWU6
Q3.4: What does this Base64 string decode to?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Username:
Task 4: Extract and Decode Credentials
- Find the client's response to the username challenge (packet after 334)
- Find the client's response to the password challenge
Q4.1: What is the Base64-encoded username string sent by the client?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Z3VycGFydGFwQHBhdHJpb3RzLmlu
Q4.2: What is the Base64-encoded password string sent by the client?
Your Answer: _______________________________________________
Click to reveal answer
Answer: cHVuamFiQDEyMw==
Task 5: Decode the Credentials
- Use Python or an online decoder to decode the Base64 strings:
Python method:
import base64
print(base64.b64decode("Z3VycGFydGFwQHBhdHJpb3RzLmlu").decode('utf-8'))
print(base64.b64decode("cHVuamFiQDEyMw==").decode('utf-8'))
Command line method:
echo "Z3VycGFydGFwQHBhdHJpb3RzLmlu" | base64 -d
echo "cHVuamFiQDEyMw==" | base64 -d
Q5.1: What is the decoded username (email address)?
Your Answer: _______________________________________________
Click to reveal answer
Answer: gurpartap@patriots.in
Q5.2: What is the decoded password?
Your Answer: _______________________________________________
Click to reveal answer
Answer: punjab@123
Q5.3: What SMTP response code indicates successful authentication?
Your Answer: _______________________________________________
Click to reveal answer
Answer: 235 (Authentication succeeded)
Q5.4: Why is sending credentials over unencrypted SMTP a security risk?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Base64 is encoding, not encryption. Anyone capturing the network traffic can easily decode the credentials. The username and password are effectively transmitted in plain text.
Part C: Email Reconstruction
Task 6: Extract Email Metadata
- Find the MAIL FROM command
- Find the RCPT TO command
Q6.1: Who is the sender of the email (MAIL FROM)?
Your Answer: _______________________________________________
Click to reveal answer
Answer: gurpartap@patriots.in
Q6.2: Who is the recipient of the email (RCPT TO)?
Your Answer: _______________________________________________
Click to reveal answer
Answer: raj_deol2002in@yahoo.co.in
Task 7: Follow the TCP Stream
- Right-click on any SMTP packet → Follow → TCP Stream
- This displays the complete SMTP conversation
Q7.1: What email client software was used to send this email? (Look for X-Mailer header)
Your Answer: _______________________________________________
Click to reveal answer
Answer: Microsoft Office Outlook 12.0
Q7.2: What is the Subject of the email?
Your Answer: _______________________________________________
Click to reveal answer
Answer: SMTP
Q7.3: What is the Date header of the email?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Mon, 5 Oct 2009 11:36:07 +0530
Q7.4: What is the Message-ID?
Your Answer: _______________________________________________
Click to reveal answer
Q7.5: What is the sender's display name (From header)?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Gurpartap Singh
Task 8: Extract Email Content
- In the TCP stream, find the email body (after the DATA command and headers)
Q8.1: What is the Content-Type of the email?
Your Answer: _______________________________________________
Click to reveal answer
Answer: multipart/mixed (contains both text and attachments)
Q8.2: What is the plain text content of the email message?
Your Answer: _______________________________________________
Click to reveal answer
Answer:
Hello
I send u smtp pcap file
Find the attachment
GPS
Q8.3: Is there an attachment? If so, what is the filename?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Yes, there is an attachment named "NEWS.txt"
Part D: Timeline Construction
Task 9: Build a Forensic Timeline
Using packet timestamps and the email headers, complete this timeline:
Q9.1: What is the timestamp of the first packet in the capture?
Your Answer: _______________________________________________
Click to reveal answer
Answer: 2009-10-05 06:06:07 UTC (approximately)
Q9.2: What is the total duration of the SMTP session?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Approximately 8 seconds
Q9.3: Complete this SMTP session timeline:
| Step | Event | Packet # |
|---|---|---|
| 1 | TCP handshake begins | |
| 2 | Server ready (220) | |
| 3 | Client greeting (EHLO) | |
| 4 | AUTH LOGIN | |
| 5 | Username sent | |
| 6 | Password sent | |
| 7 | Authentication successful (235) | |
| 8 | MAIL FROM | |
| 9 | RCPT TO | |
| 10 | DATA command | |
| 11 | Email content transferred | |
| 12 | Message accepted |
Click to reveal answer
| Step | Event | Packet # |
|---|---|---|
| 1 | TCP handshake begins | 1-5 |
| 2 | Server ready (220) | 6 |
| 3 | Client greeting (EHLO) | 7 |
| 4 | AUTH LOGIN | 10 |
| 5 | Username sent | 12 |
| 6 | Password sent | 14 |
| 7 | Authentication successful (235) | 15 |
| 8 | MAIL FROM | 16 |
| 9 | RCPT TO | 18 |
| 10 | DATA command | 20 |
| 11 | Email content transferred | 21+ |
| 12 | Message accepted | Near end |
Part E: Export and Verification
Task 10: Export Email Objects
- Go to File → Export Objects → IMF (Internet Message Format)
- Check if Wireshark can extract the email message
Q10.1: Was Wireshark able to extract the email as an .eml file?
Your Answer: _______________________________________________
Click to reveal answer
Answer: Yes, Wireshark can export SMTP emails via Export Objects → IMF
Q10.2: What additional analysis could you perform on the exported email?
Your Answer: _______________________________________________
Click to reveal answer
Answer:
- Open in email client to view formatted content
- Extract and examine the attachment
- Analyse full headers for routing information
- Check for additional metadata or hidden content
Key Findings
In this lab, you reconstructed an email with the following details:
| Field | Value |
|---|---|
| Sender | Gurpartap Singh gurpartap@patriots.in |
| Recipient | raj_deol2002in@yahoo.co.in |
| Subject | SMTP |
| Date | Mon, 5 Oct 2009 11:36:07 +0530 |
| Client IP | 10.10.1.4 |
| Mail Server | xc90.websitewelcome.com (74.53.140.153) |
| Email Client | Microsoft Office Outlook 12.0 |
| Attachment | NEWS.txt |
| Password Recovered | punjab@123 |
Useful Wireshark Filters
| Filter | Purpose |
|---|---|
smtp | All SMTP traffic |
tcp.port == 25 | Traffic on SMTP port |
smtp.req.command == "AUTH" | Authentication commands |
smtp.req.command == "MAIL" | MAIL FROM commands |
smtp.req.command == "RCPT" | RCPT TO commands |
smtp.response.code == 235 | Successful authentication |
Base64 Decoding Reference
import base64
decoded = base64.b64decode("encoded_string").decode('utf-8')
print(decoded)
Best,
Ali.