Srutinizing e-mails (Investigation Using Emails/email forensics)

email forensics/ Srutinizing e-mails (Investigation Using Emails)

Emails play a very important role in communications and have emerged as one of the most important applications on internet. They are a convenient and easy mode for sending messages as well as documents, not only from computers but also from other electronic gadgets such as mobile

phones and tablets.

The negative side of emails is that adversaries(criminals) may leak important information about a company through emails.

Hence, the role of emails in digital forensics has been increased in recent years. In digital forensics, emails are considered as crucial evidences and Email Header Analysis has become important to collect

evidence during forensic process.

An investigator has the following goals while performing email forensics −

• To identify the adversary(criminal)


• To collect necessary evidences


• To presenting the findings


• To build the case

Challenges in Email Forensics

An email forensic investigator may face the following challenges during the investigation

1. Fake Emails

The biggest challenge in email forensics is the use of fake e-mails that are created by manipulating and scripting headers etc. In this criminals also use temporary email which is a service that allows a registered user to receive email at a temporary address that expires after a certain time period.

2. Spoofing

Another challenge in email forensics is spoofing in which criminals used to present an email as someone else’s. In this case the machine will receive both fake as well as original IP address.

3. Anonymous Re-emailing

Here, the Email server strips identifying information from the email message before forwarding it further. This leads to another big challenge for email investigations.

Techniques Used in Email Forensic Investigation

Email forensics is the study of source and content of email as evidence to identify the actual sender and recipient of a message along with some other information such as date/time of transmission and intention of sender. 

Some of the common techniques which can be used for email forensic investigation are

• Header Analysis

Email headers contain essential information, including the name of the sender and receiver, the path (servers and other devices) through which the message has traversed, etc. The vital details in email headers help investigators and forensics experts in the email investigation.

• Server investigation

Email servers are investigated to locate the source of an email. For example, if an email is deleted from a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they usually save copies of emails after delivery. Servers also maintain logs that can be analyzed to identify the computer’s address from which the email originated. 

• Network Device Investigation

In some cases, logs of servers are not available. This can happen for many reasons, such as when servers are not configured to maintain logs or when an ISPs refuses to share the log files. In such an event, investigators can refer to the logs maintained by network devices such as switches, firewalls, and routers to trace the source of an email message.

• Sender Mailer Fingerprints

X-headers are email headers that are added to messages along with standard headers, like Subject and To. The x-originating-IP header can be used to find the original sender, i.e., the

IP address of the sender’s computer.

• Software Embedded Identifiers

Sometimes, the email software used by a sender can include additional information about the message and attached files in the email. For example, it can be found in Multipurpose Internet Mail Extensions (MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth analysis of these sections can reveal vital details related

to the sender, like the MAC address, Windows login username of the sender and

much more.