This is just a quick post to share a technique I use to extract emails from trigger PCAPs. This can be achieved using tools like Network Miner etc, but I prefer the command line approach as it scales better, its quicker and it can be built upon to add additional functionality as you go.
The 2 main tools for this job are tcpflow to extract the emails and munpack extract the attachments. I use a Linux environment (Ubuntu 18.04) and both of these tools are available from the repo. These tools can then be written into a bash script which can do all this with one simple command. My script can be found by going to the following link:
https://github.com/mcb2Eexe/emailExtract
Just download the script and either drop it into your /usr/local/bin or add it to a custom script location and update /etc/environment with the location of your custom script directory. You may also need to give it execute permissions with sudo chmod +x emailExtract.
This will extract the emails into separate directories and then extract the attachments from the emails. Lastly, it renames the email so it can be viewed in a mail client. This works on both a single PCAP file or a directory with multiple PCAPs.
emailExtract -f <pcap> for single pcap
emailExtract -d <dir> for multiple pcaps
[McB]Defence 