Download Now
Safe & Secure
Step 1. Scan and Add Files
Download and install Email Forensics software and then scan to add files of web-based or desktop based email client to recover pieces of evidence. One can add single/multiple files or complete folder as per the requirements.
Step 2. Examine Emails with Attachments
The Email Forensics utility permits to analyze read, unread, deleted or password protected emails for the forensic investigation purposes. The user can easily examine emails along with attachments in different view modes provided by the tool.
Step 3. Export Forensic Mail Evidence
After complete recovery and analysis of forensic mail evidence, one can easily export them in different formats. The folder structure of the resultant file is maintained by the tool.
Easy Case Management For Investigators
Case management is one of the most important tasks when it comes to forensic investigation. The Email Forensics program provides advanced case management facility such as creating a case repository, scan status, analyze and recover email, log files, bookmarking option etc. This makes the investigation process efficient and faster.
Support 20+ Email File Formats For User’s Ease
The software is designed with advanced features to make the forensic examination seamless for the users. The tool is capable to support more than 20 file types of both desktop-based (Lotus Notes, Outlook etc.) or web-based (Yahoo, Gmail etc.) email clients. Additionally, the tool is also integrated with enhanced artifacts support to examine a wider range of email repositories.
Robust Search Mechanism For Effortless Search
One can easily create custom search filters according to the scenarios. The user can make use of advance cultivated search facility which includes Fuzzy, Regular Expression, Wildcard, Proximity, Stem and other logical search operators. This helps the user to get the accurate results. Moreover, support for multiple languages such as Japanese, French, Korean etc. is also offered by the utility.
Geo-location Mapping & Enhanced Document
The utility allows export the available image attachment having GPS locations in KML format. One can also view it using Google Earth. Plus, it also offers enhanced documents support for the document format present within the image files such as E01, DD, LEF, and DMG. It also provides support for GPT Disk image for E01, Zip archived file, LEF process L01 file.
Hash Algorithm & Advanced OCR Capabilities
The tool provides support to hash function such as SHA1, SHA 265, MD5 during analysis. One can easily view SHA1, SHA 25 etc. hash values of the suspected email. Apart from this, the software also searches in image(s) content with OCR (Optical Character Recognition) process.
Acquisition Support for Network & Link Analysis
Email Forensics Tool provides acquisition support for the network that helps investigators to scan files from a Network or Domain. One can acquire and preserve artifacts directly from the network. With advanced link analysis features, it is possible for the forensic investigators to track the direct and indirect communication between multiple suspects.
Multiple Views Modes for Examination of Emails
Different email preview modes are provided by the software which makes easy for the forensic investigators to view and analyze email as per the requirements. The tool provides Normal View, HTML View, RTF View, Hex View, MIME View, Property View, Email Hop View, Attachment View.
Scan & Analyze Mailboxes of Different Platforms
One can easily examine emails of Office 365, Gmail, Live Exchange Server, iCloud, Rackspace, Hotmail via Email Forensics tool. The software supports to download and examine mailboxes of the various platforms in a trouble-free way.
Export Emails and Attachments Evidence
After the examination of emails, the user can export emails into multiple formats such as Concordance, CSV, EML, MSG, HTML, TIFF, PST, PDF. This feature is very beneficial for forensic investigators as they need to save all the evidence in a particular format to present them in court.
Team Collaboration For Team Work
Sometimes, forensic investigators need to work on the same case. To make the group work easy for the users the software offers team collaboration facility which allows multiple investigators to work on the same case without any problem.
Examine Skype Messenger Chat Conversation
To investigate Skype chats, call records, SMS and carve out evidence from them, the Email Forensics utility provides a unique feature which permits the user to add the Skype database file and view details such as chat message format, sender and receiver details, call records, SMS.
Export Forensic Investigation Case Report
After all the examination process, one can export the report with all the details associated with the forensic investigation of emails. The user can export the reports of the case, tags, keywords, bookmarks etc. Moreover, the tool also permits to export the sender’s, recipients report, domain-wise senders report in HTML, PDF and CSV file formats.
Listed Commonly Asked Questions and Answers
Yes, the software provides Grid data filter which allows searching without navigating to the search option. Also, it offers more accurate filtering of the data.
Yes, the tool provides multiple email view modes such as Normal, RTF, Hex, Email Hop, Attachments view etc. So, the user can view email as per the requirements.
Yes, you can easily extract chats, call and SMS associated with the user’s Skype database and analyze it.
Yes, with the help of Email Forensic tool, one can easily examine and analyze all the document formats available in image files such as E01, DMG, DD, LEF and ZIP file.
No, there are no data loss and security issues associated with the tool as it is designed with advanced data protection and security algorithms.
Yes, the software provides email tagging feature which makes easy for the users to examine particular emails among thousands of emails. This feature permits the user to tag the specific emails and categorize them.
Yes, the user just has to define the search preference for the evidence in mail/attachment/both in the ‘Look For’ option. If the user selects ‘Search within Mail and Attachments’ option then the software enables searching within emails as well as attachments.
Yes, you can easily examine image processed by the OCR technique via the tool. To examine the OCR file, you need to change some settings of the software. For that, click Options > Processing Options > Check OCR option.
Yes, the utility permits to export emails and attachments evidence in multiple formats such as CSV, HTML, TIFF, PST, EML, Concordance, PDF etc. So, one can easily export evidence in PDF file format.
Yes, you can easily sort and filter the evidence list as per the name, size, custodian, item count, etc. with the help of Email Forensics tool.
Common Terminologies associated with email
SMTP Server: Stands for Simple Mail Transfer Protocol and the primary task that it performs are:
POP3 Server: It is an incoming mail server that helps the user to RECEIVE the email residing in its e-mailbox.
IMAP Server: Incoming mail Server exhibits same functionality as of POP based server but retain copy of email even after user downloads the email.
SMTP Protocol Commands (Client-Server interaction)
SMTP protocol governs the email system language [as specified in RFC2821]. The process of SMTP client [application (MS Outlook)/webmail (Gmail)] making a request to SMTP Server (e.g. MS Exchange) and the server responding back to the request with acknowledgment code.
Note: SMTP Server becomes SMTP client when it transmits email to other SMTP server.
The protocol commands for REQUEST are:
Some common SMTP Protocol RESPONSE codes that are returned for the REQUEST made
Email header plays a crucial role in identifying the sender of an email. Many fields can be forged within the header part but it still gives enough information about the sender. The investigator upon performing the email header forensics will able to identify the following:
Other information in the email header that indirectly will help you during the forensics process:
Header contains several lines of header information also known as fields. Each field itself is divided into three components.
The header fields in general are written from bottom to top hence the best way for the email forensics investigator is to analyze all those fields from bottom to top. So whatever is done initially by the sender's client/server during the composition and sending of email those fields will be located at the very bottom of the header part of the concerned email.
Forensics of Email Metadata information
The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:
A simple DNS lookup after finding the source ip (26.126.148.104 in this case) will reveal the server location, as one can see in the image as well.
Email clients such as Outlook, Entourage are standalone applications installed on users computer designed to send, receive and organize emails.
Some example of Email Clients:
Some Example of Web Based Email Clients
Standalone Email Applications Examples
Window Search Index: There will be time when emails files are scattered and when doing search in Gigabytes of data it becomes hard to locate all the emails. When performing email computer forensics the investigator can use the Window Search Index features to locate the email files. Window search index maintains a record any document/application on the computer including the content of the files hence with right keyword and file type search you will be able to locate all the emails indexed by Windows Search instantly.
Windows search will greatly help in computer forensics of email as you can sort the document type that you are interested in KWs you are looking for and extension to search. By combining all the parameters you will be able to easily get all the email that exists within the disk/drive.
Network Status: Almost all laptop/Desktop comes with pre-installed NIC Cards (Network interface cards) and provides interface to the host machine with the outside world (network) and can play significant role in email forensics. Many web based email service provider records the IP address of the originating system from where the email was composed and dispatched to the receiver. Ipconfig command will help you to locate all the NICs on the computer.
Parsing Process Memory: Processor memory (RAM) also holds key information and one might get useful information such as IP and email addresses if one is able to parse through the content of RAM Dump.
Internet Explorer: During your forensic search for emails in computer system you can use the data stored by internet explorer to know a bit or two about the emails such as which email provider the user usually logins to and most frequently site visited.
Memory Forensics for email artifacts recovery
You can track and map user's activities via the memory artifact created by the operating system or application (outlook for instance) that will give you hold on some of the exclusive evidence that you otherwise would not find. One can find some of these data in the memory:
Though the majority of critical component you will find in the data you collected that reside in the persistent storage medium, you will be able to capture invaluable evidence to reconstruct the event.
Ease, speed and relative anonymity of email makes it lucrative option for committing crimes for the criminals. Email crimes can be broadly divided into two main categories:
Crimes that are committed by sending an email, such as:
If you suspect the email is of Sphere fishing type then you can use the following email fields to gain information: