Quoted-printable

technoviking · November 17, 2020, 8:14pm

Hello
I just watched the email forensics webcast, very informative but I am confused about quoted-printable 76 character length. Looking at some legit emails sent from outlook lots of the lines appear to be 80 plus and not limited to 76. Are there certain characters no included in the account, I think all = within dont count? What about blank space?

eg this is not messed with but is 83:

“<meta http-equiv=3D"Content-Type” content=3D"text/html; charset=3Dutf-8"><style t="

agungor · November 17, 2020, 8:43pm

Hi there,

You can refer to RFC 2045 page 20 to learn more about this. I’m quoting the relevant paragraph here for convenience:

The Quoted-Printable encoding REQUIRES that encoded lines be no more than 76 characters long. If longer lines are to be encoded with the Quoted-Printable encoding, “soft” line breaks must be used. An equal sign as the last character on a encoded line indicates such a non-significant (“soft”) line break in the encoded text.

I couldn’t tell you why you are seeing different line lengths based on the information you’ve provided. One possibility is that you may not be looking at the raw form of the message.

For instance, if you replace the “=3D” strings (quoted printable encoded version of “=”) with the string “=”, you end up with this:

<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><style t=

The length is 76 bytes.

technoviking · November 17, 2020, 9:18pm

Thanks, they are emls from outlook. So basically =3D should be counted as one character when counting the columns in ultra edit?

Edit, also if a sentence/line goes for well over 76, would it ever be soft broken before then, eg at 74 or would that be odd?

agungor · November 17, 2020, 11:14pm

Not necessarily. I was attempting to point out that any conversions such as change in encoding can throw things off. Generally speaking, looking at MIME emails through Outlook is not a great option for forensic analysis. I would recommend downloading a copy in raw MIME format directly from the server—without getting Outlook involved—and reviewing it in a text editor.

This is implementation dependent but most email clients break the lines at 76. For instance, if you had 120 characters, I would expect to see a 76/44 break rather than 60/60.

technoviking · November 18, 2020, 5:22pm

Unfortunately I have only been provided with an eml created in outlook and cant access the raw data on the server.

If I did have the pure raw format and =3D was in the quoted text would the 3D
characters be counted as part of the 76?

agungor · November 18, 2020, 11:32pm

Yes, everything counts. Here is an example:

<div dir=3D"ltr"><p style=3D"margin:0px 0px 15px;padding:0px;text-align:jus=
tify;color:rgb(0,0,0);font-family:&quot;Open Sans&quot;,Arial,sans-serif;fo=
nt-size:14px">Lorem ipsum dolor sit=C2=A0<span style=3D"color:rgb(26,26,26)=
;font-family:Georgia,serif;font-size:30px;font-weight:700;text-align:start"=
>E =3D mc</span><sup style=3D"box-sizing:border-box;font-size:0.8em;color:r=
gb(26,26,26);font-family:Georgia,serif;font-weight:700;text-align:start">2<=
/sup>=C2=A0amet, consectetur adipiscing elit. Nam scelerisque diam tellus, =
id ullamcorper felis <b>efficitur </b>et. Ut porta erat tincidunt neque ege=
stas feugiat. Aenean pharetra suscipit elit. Maecenas sit amet velit at nun=
c efficitur elementum. In arcu enim, vehicula at vehicula et, euismod sit a=
met mauris. Nunc consequat rutrum tellus id volutpat. Sed feugiat est liber=
o, at semper mi cursus nec.</p><p style=3D"margin:0px 0px 15px;padding:0px;=
text-align:justify;color:rgb(0,0,0);font-family:&quot;Open Sans&quot;,Arial=
,sans-serif;font-size:14px">Cras vel mi nec massa vestibulum sollicitudin. =
Morbi vitae gravida mauris, at ultrices magna. Vestibulum ante nisl, auctor=
 nec malesuada et, semper id risus. Maecenas eros enim, elementum at libero=
 sit amet, consectetur pharetra elit. Duis id nulla urna. Donec auctor orna=
re hendrerit. Cras et erat convallis, aliquet enim eu, efficitur risus. Cra=
s sed elit nec sapien vulputate varius. Phasellus venenatis odio urna, ut f=
aucibus odio volutpat ut. Pellentesque arcu nulla, ullamcorper sed felis a,=
 vestibulum pellentesque metus. Etiam lobortis vel nibh vitae porttitor. Pr=
aesent feugiat vel lacus at lacinia.</p></div>

The block of text is 76 characters wide. The quoted-printable-encoded characters such as =3D are included in the count.

technoviking · November 19, 2020, 5:00pm

agungor:

<div dir=3D"ltr"><p style=3D"margin:0px 0px 15px;padding:0px;text-align:jus=
tify;color:rgb(0,0,0);font-family:&quot;Open Sans&quot;,Arial,sans-serif;fo=
nt-size:14px">Lorem ipsum dolor sit=C2=A0<span style=3D"color:rgb(26,26,26)=
;font-family:Georgia,serif;font-size:30px;font-weight:700;text-align:start"=
>E =3D mc</span><sup style=3D"box-sizing:border-box;font-size:0.8em;color:r=
gb(26,26,26);font-family:Georgia,serif;font-weight:700;text-align:start">2<=
/sup>=C2=A0amet, consectetur adipiscing elit. Nam scelerisque diam tellus, =
id ullamcorper felis <b>efficitur </b>et. Ut porta erat tincidunt neque ege=
stas feugiat. Aenean pharetra suscipit elit. Maecenas sit amet velit at nun=
c efficitur elementum. In arcu enim, vehicula at vehicula et, euismod sit a=
met mauris. Nunc consequat rutrum tellus id volutpat. Sed feugiat est liber=
o, at semper mi cursus nec.</p><p style=3D"margin:0px 0px 15px;padding:0px;=
text-align:justify;color:rgb(0,0,0);font-family:&quot;Open Sans&quot;,Arial=
,sans-serif;font-size:14px">Cras vel mi nec massa vestibulum sollicitudin. =
Morbi vitae gravida mauris, at ultrices magna. Vestibulum ante nisl, auctor=
 nec malesuada et, semper id risus. Maecenas eros enim, elementum at libero=
 sit amet, consectetur pharetra elit. Duis id nulla urna. Donec auctor orna=
re hendrerit. Cras et erat convallis, aliquet enim eu, efficitur risus. Cra=
s sed elit nec sapien vulputate varius. Phasellus venenatis odio urna, ut f=
aucibus odio volutpat ut. Pellentesque arcu nulla, ullamcorper sed felis a,=
 vestibulum pellentesque metus. Etiam lobortis vel nibh vitae porttitor. Pr=
aesent feugiat vel lacus at lacinia.</p></div>

Thank you, yes it seems eml format from outlook messes with the length, damn I though I was on to something. And I see it should be 76 including the soft break.