E-Mail Forensics GuideBook

Learn all the steps necessary for the email forensics purpose. With right tool and method the investigation will become easy.

Email has become the primary source of communication and almost everyone who owns a computer sends or receives emails on regular basis. One can imagine how email has become core part of communication with the fact that close to 3 million messages are sent every single second. Such widespread email penetration has resulted in various misuse of the technology. People with malafide intention use emails to commit the crime.

This article will illustrate possible ways to perform e-mail forensics to recover and analyze and trace back the email to the sender. Your goal during the email forensics investigation is to find out the crime committed or willfully violation of company policies. There are various clues that you can get to connect the dot and nail the culprit.


Area of Thrust for Email Forensics Process

Email System Basics

Common Terminologies associated with email

SMTP Server: Stands for Simple Mail Transfer Protocol and the primary task that it performs are:

  • Receives emails from the sender.
  • Validate source and destination addresses.
  • Sends and Receives emails To and From other SMTP Server.
  • User/Email Client/ Webmail use SMTP to SEND the intended email.

POP3 Server: It is an incoming mail server that helps the user to RECEIVE the email residing in its e-mailbox.

  • Recipient Receives the email
  • POP3 Server Deletes the email from its server once user's email client download the particular email.
  • Usually work on port 110

IMAP Server: Incoming mail Server exhibits same functionality as of POP based server but retain copy of email even after user downloads the email.

Fig 1.1 Path Traveled by the Email from sender to reciever

SMTP Protocol Commands (Client-Server interaction)

SMTP protocol governs the email system language [as specified in RFC2821]. The process of SMTP client [application (MS Outlook)/webmail (Gmail)] making a request to SMTP Server (e.g. MS Exchange) and the server responding back to the request with acknowledgment code.
Note: SMTP Server becomes SMTP client when it transmits email to other SMTP server.

The protocol commands for REQUEST are:

  • EHLO or HELO: SMTP Client identifies itself to SMTP server with this command.
  • MAIL FROM: This command tells the Server the source of the email message (sender).
  • RESET: SMTP Client asks the SMTP server to abandon the current transaction.
  • VERIFY: SMTP client ask the Server to verify a user/mailbox.
  • EXPN: SMTP client ask the Server to confirm the mailing list and after confirmation should return membership of the list.
  • HELP: The client asks the server to send helpful information.
  • NOOP: this SMTP protocol commands request the server to send an "ok" reply.
  • QUIT: this command tells the server to send an "ok" command and thereafter terminate the transmission channel.

Some common SMTP Protocol RESPONSE codes that are returned for the REQUEST made

  • 220: Server Ready
  • 250: Successfully completed the request
  • 254: Server waiting for DATA: command
  • 221: Server closing the transmission channels.
smtp client server interaction example
Fig 1.2 Client Server Interaction Example
Fig 1.3 Example of communication between email client (application or webmail) with the SMTP server for data transfer

Email Header Forensics

Broad steps in Email Forensics for the Investigator

Email Client Forensics

Email Computer Forensics

Crime commited via Email

Laws Against Email Crimes