Email Forensic Software – MailXaminer & MailPro+


Email Forensics Software



Email Forensics Software is a versatile tool to simplify email forensics with accurate results. The software is integrated with proficient features which makes case management task hassle-free for the forensic investigators. Moreover, the utility supports examination of 80+ email clients.

  • Manage Cases in An Efficient and Faster Way via Advanced Case Management Facility
  • Support 20+ Email File Types of Both Desktop-Based or Web-Based Email Clients
  • Provide Support to Hash Function: SHA1, SHA 265 and MD5 During Analysis
  • Enhanced Artifacts and Documentation Support (E01, DD, LEF, DMG etc.)
  • Multiple Email Views (Hex, RTF, MIME, Email Hop etc.) for Forensic Examination
  • Examine Skype Messaging Application Database Details Such as Chat, SMS, Calls
  • Geo-Location Mapping: Image Attachments with GPS Location Can be Exported as KML
  • Advanced Link Analysis to Track Direct and Indirect Conversation of The Users
  • Examine Emails of Office 365, Rackspace, Gmail, iCloud, Live Exchange Server etc.
  • Permits Investigators for Scanning Files from a Network or Domain
  • Language Support for Search in Japanese, Chinese, Korean, French, Spanish
  • Save Evidence in Court Acceptable Format by Recovering Deleted Email Components
  • Generate Export Report with All The Detailed Information in HTML, CSV and PDF

Top Features of Email Forensics Utility
Email Forensic Software for Email Investigation

Easy Case Management

Easy Case Management For Investigators

Case management is one of the most important tasks when it comes to forensic investigation. The Email Forensics program provides advanced case management facility such as creating a case repository, scan status, analyze and recover email, log files, bookmarking option etc. This makes the investigation process efficient and faster.

Support 20+ Email File Formats

Support 20+ Email File Formats For User’s Ease

The software is designed with advanced features to make the forensic examination seamless for the users. The tool is capable to support more than 20 file types of both desktop-based (Lotus Notes, Outlook etc.) or web-based (Yahoo, Gmail etc.) email clients. Additionally, the tool is also integrated with enhanced artifacts support to examine a wider range of email repositories.

Robust Search Mechanism

Robust Search Mechanism For Effortless Search

One can easily create custom search filters according to the scenarios. The user can make use of advance cultivated search facility which includes Fuzzy, Regular Expression, Wildcard, Proximity, Stem and other logical search operators. This helps the user to get the accurate results. Moreover, support for multiple languages such as Japanese, French, Korean etc. is also offered by the utility.

Geo-location Mapping

Geo-location Mapping & Enhanced Document

The utility allows export the available image attachment having GPS locations in KML format. One can also view it using Google Earth. Plus, it also offers enhanced documents support for the document format present within the image files such as E01, DD, LEF, and DMG. It also provides support for GPT Disk image for E01, Zip archived file, LEF process L01 file.

Hash Algorithm Support

Hash Algorithm & Advanced OCR Capabilities

The tool provides support to hash function such as SHA1, SHA 265, MD5 during analysis. One can easily view SHA1, SHA 25 etc. hash values of the suspected email. Apart from this, the software also searches in image(s) content with OCR (Optical Character Recognition) process.

Network & Advanced Link Analysis

Acquisition Support for Network & Link Analysis

Email Forensics Tool provides acquisition support for the network that helps investigators to scan files from a Network or Domain. One can acquire and preserve artifacts directly from the network. With advanced link analysis features, it is possible for the forensic investigators to track the direct and indirect communication between multiple suspects.

Multiple Views Modes

Multiple Views Modes for Examination of Emails

Different email preview modes are provided by the software which makes easy for the forensic investigators to view and analyze email as per the requirements. The tool provides Normal View, HTML View, RTF View, Hex View, MIME View, Property View, Email Hop View, Attachment View.

Scan and Analyze Mailboxes

Scan & Analyze Mailboxes of Different Platforms

One can easily examine emails of Office 365, Gmail, Live Exchange Server, iCloud, Rackspace, Hotmail via Email Forensics tool. The software supports to download and examine mailboxes of the various platforms in a trouble-free way.

Export Emails with Attachments

Export Emails and Attachments Evidence

After the examination of emails, the user can export emails into multiple formats such as Concordance, CSV, EML, MSG, HTML, TIFF, PST, PDF. This feature is very beneficial for forensic investigators as they need to save all the evidence in a particular format to present them in court.

Team Collaboration

Team Collaboration For Team Work

Sometimes, forensic investigators need to work on the same case. To make the group work easy for the users the software offers team collaboration facility which allows multiple investigators to work on the same case without any problem.

Examine Chat Conversation

Examine Skype Messenger Chat Conversation

To investigate Skype chats, call records, SMS and carve out evidence from them, the Email Forensics utility provides a unique feature which permits the user to add the Skype database file and view details such as chat message format, sender and receiver details, call records, SMS.

Investigation Case Report

Export Forensic Investigation Case Report

After all the examination process, one can export the report with all the details associated with the forensic investigation of emails. The user can export the reports of the case, tags, keywords, bookmarks etc. Moreover, the tool also permits to export the sender’s, recipients report, domain-wise senders report in HTML, PDF and CSV file formats.

Frequently Asked Questions

Listed Commonly Asked Questions and Answers

Does the Email Forensics tool provide any data filtering option?

Yes, the software provides Grid data filter which allows searching without navigating to the search option. Also, it offers more accurate filtering of the data.

Yes, the tool provides multiple email view modes such as Normal, RTF, Hex, Email Hop, Attachments view etc. So, the user can view email as per the requirements.

Yes, you can easily extract chats, call and SMS associated with the user’s Skype database and analyze it.

Yes, with the help of Email Forensic tool, one can easily examine and analyze all the document formats available in image files such as E01, DMG, DD, LEF and ZIP file.

No, there are no data loss and security issues associated with the tool as it is designed with advanced data protection and security algorithms.

Yes, the software provides email tagging feature which makes easy for the users to examine particular emails among thousands of emails. This feature permits the user to tag the specific emails and categorize them.

Yes, the user just has to define the search preference for the evidence in mail/attachment/both in the ‘Look For’ option. If the user selects ‘Search within Mail and Attachments’ option then the software enables searching within emails as well as attachments.

Yes, you can easily examine image processed by the OCR technique via the tool. To examine the OCR file, you need to change some settings of the software. For that, click Options > Processing Options > Check OCR option.

Yes, the utility permits to export emails and attachments evidence in multiple formats such as CSV, HTML, TIFF, PST, EML, Concordance, PDF etc. So, one can easily export evidence in PDF file format.

Yes, you can easily sort and filter the evidence list as per the name, size, custodian, item count, etc. with the help of Email Forensics tool.

Area of Thrust for Email Forensics Process

Email System Basics

Common Terminologies associated with email

SMTP Server: Stands for Simple Mail Transfer Protocol and the primary task that it performs are:

  • Receives emails from the sender.
  • Validate source and destination addresses.
  • Sends and Receives emails To and From other SMTP Server.
  • User/Email Client/ Webmail use SMTP to SEND the intended email.

POP3 Server: It is an incoming mail server that helps the user to RECEIVE the email residing in its e-mailbox.

  • Recipient Receives the email
  • POP3 Server Deletes the email from its server once user's email client download the particular email.
  • Usually work on port 110

IMAP Server: Incoming mail Server exhibits same functionality as of POP based server but retain copy of email even after user downloads the email.

SMTP Server
Fig 1.1 Path Traveled by the Email from sender to receiver

SMTP Protocol Commands (Client-Server interaction)

SMTP protocol governs the email system language [as specified in RFC2821]. The process of SMTP client [application (MS Outlook)/webmail (Gmail)] making a request to SMTP Server (e.g. MS Exchange) and the server responding back to the request with acknowledgment code.
Note: SMTP Server becomes SMTP client when it transmits email to other SMTP server.

The protocol commands for REQUEST are:

  • EHLO or HELO: SMTP Client identifies itself to SMTP server with this command.
  • MAIL FROM: This command tells the Server the source of the email message (sender).
  • RESET: SMTP Client asks the SMTP server to abandon the current transaction.
  • VERIFY: SMTP client ask the Server to verify a user/mailbox.
  • EXPN: SMTP client ask the Server to confirm the mailing list and after confirmation should return membership of the list.
  • HELP: The client asks the server to send helpful information.
  • NOOP: this SMTP protocol commands request the server to send an "ok" reply.
  • QUIT: this command tells the server to send an "ok" command and thereafter terminate the transmission channel.

Some common SMTP Protocol RESPONSE codes that are returned for the REQUEST made

  • 220: Server Ready
  • 250: Successfully completed the request
  • 254: Server waiting for DATA: command
  • 221: Server closing the transmission channels.
smtp client server interaction example
Fig 1.2 Client Server Interaction Example
Client vs Server
Fig 1.3 Example of communication between email client (application or webmail) with the SMTP server for data transfer
Email Header Forensics
5.1 MIME Email Header

Email header plays a crucial role in identifying the sender of an email. Many fields can be forged within the header part but it still gives enough information about the sender. The investigator upon performing the email header forensics will able to identify the following:

Other information in the email header that indirectly will help you during the forensics process:

  • Sender of the email
  • Network path it traversed and path of origination
  • SMTP Servers it went through
  • Time Stamp Detail
  • Email Client information
  • Encoding information

Header contains several lines of header information also known as fields. Each field itself is divided into three components.

  • Field Label
  • Followed by semicolon ":"
  • Field Body
Return Path

The header fields in general are written from bottom to top hence the best way for the email forensics investigator is to analyze all those fields from bottom to top. So whatever is done initially by the sender's client/server during the composition and sending of email those fields will be located at the very bottom of the header part of the concerned email.

Email Header Analysis

Forensics of Email Metadata information

The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:

  • Sender's SMTP Server (OUTGOING Mail Server)
  • Encrypted mail header
  • Typical To, From, Subject, and Date Lines
  • Mail transfer email client information
  • Various X-header information added by different SMTP server and email clients during the whole email sending process.
Email Header Component Email Header

A simple DNS lookup after finding the source ip ( in this case) will reveal the server location, as one can see in the image as well.

IP Address
Email Investigation
  • Obtain a search warrant and seize the accused computer and email account
  • Obtain a Bit-by-Bit Image of the concerned Email data
  • Through Examination of Email Header
  • Trace the origin of the concerned email.
  • Acquire email archive
  • Recover Deleted Emails
  • Present the case in admissible format.

Email clients such as Outlook, Entourage are standalone applications installed on users computer designed to send, receive and organize emails.

  • It retrieves emails from the mailbox (user's Incoming mail server via pop3/imap4 protocol)
  • Allows user to create new email and send it to the user's outgoing email server (SMTP Server via SMTP protocol)
  • Display header part of all emails in user's mailbox

Some example of Email Clients:

Some Example of Web Based Email Clients

  • Yahoo! Mail
  • Gmail
  • Hotmail

Standalone Email Applications Examples

  • Microsoft Outlook
  • Thunderbird

Window Search Index: There will be time when emails files are scattered and when doing search in Gigabytes of data it becomes hard to locate all the emails. When performing email computer forensics the investigator can use the Window Search Index features to locate the email files. Window search index maintains a record any document/application on the computer including the content of the files hence with right keyword and file type search you will be able to locate all the emails indexed by Windows Search instantly.

Window Search

Windows search will greatly help in computer forensics of email as you can sort the document type that you are interested in KWs you are looking for and extension to search. By combining all the parameters you will be able to easily get all the email that exists within the disk/drive.

Fast Search

Network Status: Almost all laptop/Desktop comes with pre-installed NIC Cards (Network interface cards) and provides interface to the host machine with the outside world (network) and can play significant role in email forensics. Many web based email service provider records the IP address of the originating system from where the email was composed and dispatched to the receiver. Ipconfig command will help you to locate all the NICs on the computer.

Parsing Process Memory: Processor memory (RAM) also holds key information and one might get useful information such as IP and email addresses if one is able to parse through the content of RAM Dump.

Internet Explorer: During your forensic search for emails in computer system you can use the data stored by internet explorer to know a bit or two about the emails such as which email provider the user usually logins to and most frequently site visited.

Internet Explorer

Memory Forensics for email artifacts recovery

You can track and map user's activities via the memory artifact created by the operating system or application (outlook for instance) that will give you hold on some of the exclusive evidence that you otherwise would not find. One can find some of these data in the memory:

  • Unencrypted e-mail messages
  • Private email structure
  • Mapped files
  • Internet history records that usually does not get cached by the browser.
  • Content processed by the application

Though the majority of critical component you will find in the data you collected that reside in the persistent storage medium, you will be able to capture invaluable evidence to reconstruct the event.

Ease, speed and relative anonymity of email makes it lucrative option for committing crimes for the criminals. Email crimes can be broadly divided into two main categories:

Crimes that are committed by sending an email, such as:

  • Email Spamming: In simple term it can be defined as sending unsolicited emails. Email Spammers generally obtains the email ids from webpages, DNS listing and every other possible source and send unsolicited emails to the gathered email database. Email Spamming
  • Mail Bombing: The primary intension of mail bombing is to cause denial-of-service attack to the victim by sending huge volumes of emails to the victim's mailbox/server to crash down. Mail Bombing
  • Phishing: It is criminal act of sending an unsolicited and illegitimate email falsely claiming to be from legitimate site/company in order to win the victim's trust and acquire their personal/account information by redirecting them to fake webpages of the trustworthy sites and asking them to input the data. Phishing
  • Email Spoofing: is the act of forging the email header so that the message appears to originate from source other than the actual source. The perpetrator might attach Trojan, virus or warm files as attachments file in the email. Email Spoofing Demo Email Spoofing Example
  • Email Sphere fishing: In this email fraud the perpetrator will ask for confidential and sensitive information. This type of attack resembles with e-mail spoofing fraud but in here in almost all cases the sender is someone trustworthy with an authoritative position in the organization. Sphere Phishing
    Sphere Phishing Example
    Example of Email Sphere fishing asking the victim to input sensitive information

If you suspect the email is of Sphere fishing type then you can use the following email fields to gain information:

  • From and Reply-To Field
  • Subject Line
  • Unique Message ID (ESMTP)
  • URL (if any) the email is prompting the user to visit, this url will also revel the domain the perpetrator used to lure the victim. Check the Whois for further information.
  • Received Field to identify the originating IP address or at least the SMTP server of the sender.
Law Against Email Crimes
  • The CAN-SPAM Act of 2003 establish requirements for those who send commercial emails, spells out penalties for spammers and companies whose products are advertised in spam.
  • 18 U.S. Code § 2252A & 2252B: This law prevents and punishes the culprit in cases concerning crimes that have been committed using the digital means. This law also takes care of the Email Malpractices.
  • RCW 19.190.20: This law governs to the resident of Washington and prohibits any person from commercial transmission of electronic mail messages.
  • Stored Communications Act (18 U.S.C. §§ 2701-12): This act protect the owner's file content that are stored by the service provider from any unauthorized use failing which there are many civil and criminal penalties for the act hence the forensics expert need to submit specific proof before a court order or search warrant can be issued against the alleged person.
What Customers Are Saying

Get an Overview of Email Forensic Software

25 Ratings
5 Star
4 Star
3 Star
2 Star
1 Star