Reading MSG and EML Files on the Command Line

Tommy
October 08 2013

Thought I’d share a neat little script-combo if you do your email analysis on Linux systems, or do automation. For the task you’ll need msgconvert.pl [1] and ripmime [2].

MSG files are used by Microsoft Outlook, and is the natural fit in regard to malicious messages in organizations running Microsoft products. For reference you can find the specification for the Outlook Item File Format here.

In this part you will require a file from Outlook, which you can acquire by selecting a message and drag it to the desktop or a new message. If you don’t do Outlook, you can just google for one [3].

msgconvert.pl <message>.msg
ripmime -i <message>.mime

The above will first convert the MSG file to a mime file. The latter command will make sure to extract the objects in it, such as binary files or documents. The text files contains the content of the email and will be something like: textfile0

If you need the headers you will find them at the top of the mime-file.

Now to EML-files, which you will also often find when exporting email messages. EML is really just short for “E-mail”. In OS X Mail, Outlook Express, Thunderbird (and others) you are typically presented with EML/MIME-formatted documents, and it’s just a document which complies with RFC 822 [4]. EML-files are more easy to work on since you can open it in a text editor and read the essential information plain straight away.

So what does that mean in regard to ripmime? It really just means that instead of calling the output from msgconvert.pl .mime, you can name the file .eml. In commands:

ripmime -i <message>.eml

The above will output your mime parts.

OS X Specifics

You may want to do the above on an OS X system as well. For this you can install ripmime via Homebrew [5].

If you are exporting an eml from Apple Mail you may do so the same way as in Outlook: Just drag it where you want it.

[1] https://www.matijs.net/software/msgconv/
[2] https://www.pldaniels.com/ripmime/
[3] https://www.google.com/search?q=filetype:msg&oq=filetype:msg#q=filetype:msg+outlook
[4] https://tools.ietf.org/html/rfc822
[5] https://brew.sh/index_nb

Tags: #msg #eml #convert #macos #nix
Read with Gemini

This blog is powered by cl-yag and Tufte CSS!