Tags: email forensic 


## Pt. 1
We get an email file (.eml) and the challenge is to find out what was deleted from the file...

Received: from
Return-Path: <[email protected]>
X-Originating-Ip: []
Received-SPF: pass (domain of gmail.com designates as permitted sender)
Authentication-Results: ...
X-Apparently-To: [email protected]; Fri, 15 Apr 2022 06:03:02 +0000
X-YMailISG: ...
Received: from
Received: by mail-wr1-f45.google.com with SMTP id u3so9536261wrg.3...
DKIM-Signature: ...
X-Google-DKIM-Signature: ...
X-Google-Smtp-Source: ABdhPJyaUwECUfiVnHLMvCVoOGSDlrFjphDMOXwSo8pSUztrUcs+gK7lHOKWwReyKsHGHeQG13Psbc5aQ2asjRuWTvE=
X-Received: by 2002:a05:6000:1564:b0:20a:7727:27b0 with ...
MIME-Version: 1.0
From: crew ctf <[email protected]>
Date: Fri, 15 Apr 2022 08:02:49 +0200
Message-ID: <CAG+6d[email protected]>
Subject: Help me!
To: [email protected]
Content-Type: multipart/alternative; boundary="000000000000c0332a05dcab29d2"
Content-Length: 677

Content-Type: text/plain; charset="UTF-8"

Hey, crushed kiwi I hate this loop of college, and I need your help. Can
you meet me at lost immediately?

Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable



I realized that it has to be from a google email so I sent myself an email and compared both.
The `X-Gm-Message-State:` Header is missing!

This was the solution for the first part of the challenge.

Original writeup (https://github.com/xXLeoXxOne/writeups/blob/main/CrewCTF%202022/Em31l.md).