Email Forensics GuideBook – Investigation Became Easy With Right Software

Find Out All the Necessary Steps Required for Email Forensic Investigation. Get the Right Tool & Get Email Forensic Analysis Done with Ease.

MailPro+ Email Forensic Software

All in One Software to View, Analyse, Search & Export Emails from 12+ Email Formats into 7 File Formats

Learn all the steps necessary for the email forensics purpose. With right tool and method the investigation will become easy.

Email has become the primary source of communication and almost everyone who owns a computer sends or receives emails on regular basis. One can imagine how email has become core part of communication with the fact that close to 3 million messages are sent every single second. Such widespread email penetration has resulted in various misuse of the technology. People with malafide intention use emails to commit the crime.

This article will illustrate possible ways to perform e-mail forensics to recover and analyze and trace back the email to the sender. Your goal during the email forensics investigation is to find out the crime committed or willfully violation of company policies. There are various clues that you can get to connect the dot and nail the culprit.

For Advance Email Forensics, Please Click

Advanced Email Forensics Software

Area of Thrust for Email Forensics Process

Email System Basics

Common Terminologies associated with email

SMTP Server: Stands for Simple Mail Transfer Protocol and the primary task that it performs are:

Receives emails from the sender.
Validate source and destination addresses.
Sends and Receives emails To and From other SMTP Server.
User/Email Client/ Webmail use SMTP to SEND the intended email.

POP3 Server: It is an incoming mail server that helps the user to RECEIVE the email residing in its e-mailbox.

Recipient Receives the email
POP3 Server Deletes the email from its server once user's email client download the particular email.
Usually work on port 110

IMAP Server: Incoming mail Server exhibits same functionality as of POP based server but retain copy of email even after user downloads the email.

SMTP Server — Fig 1.1 Path Traveled by the Email from sender to receiver

SMTP Protocol Commands (Client-Server interaction)

SMTP protocol governs the email system language [as specified in RFC2821]. The process of SMTP client [application (MS Outlook)/webmail (Gmail)] making a request to SMTP Server (e.g. MS Exchange) and the server responding back to the request with acknowledgment code.
Note: SMTP Server becomes SMTP client when it transmits email to other SMTP server.

The protocol commands for REQUEST are:

EHLO or HELO: SMTP Client identifies itself to SMTP server with this command.
MAIL FROM: This command tells the Server the source of the email message (sender).
RESET: SMTP Client asks the SMTP server to abandon the current transaction.
VERIFY: SMTP client ask the Server to verify a user/mailbox.
EXPN: SMTP client ask the Server to confirm the mailing list and after confirmation should return membership of the list.
HELP: The client asks the server to send helpful information.
NOOP: this SMTP protocol commands request the server to send an "ok" reply.
QUIT: this command tells the server to send an "ok" command and thereafter terminate the transmission channel.

Some common SMTP Protocol RESPONSE codes that are returned for the REQUEST made

220: Server Ready
250: Successfully completed the request
254: Server waiting for DATA: command
221: Server closing the transmission channels.

smtp client server interaction example — Fig 1.2 Client Server Interaction Example

Client vs Server — Fig 1.3 Example of communication between email client (application or webmail) with the SMTP server for data transfer

Email Header Forensics

Email header plays a crucial role in identifying the sender of an email. Many fields can be forged within the header part but it still gives enough information about the sender. The investigator upon performing the email header forensics will able to identify the following:

Other information in the email header that indirectly will help you during the forensics process:

Sender of the email
Network path it traversed and path of origination
SMTP Servers it went through

Time Stamp Detail
Email Client information
Encoding information

Header contains several lines of header information also known as fields. Each field itself is divided into three components.

Field Label
Followed by semicolon ":"
Field Body

The header fields in general are written from bottom to top hence the best way for the email forensics investigator is to analyze all those fields from bottom to top. So whatever is done initially by the sender's client/server during the composition and sending of email those fields will be located at the very bottom of the header part of the concerned email.

Forensics of Email Metadata information

The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:

Sender's SMTP Server (OUTGOING Mail Server)
Encrypted mail header
Typical To, From, Subject, and Date Lines
Mail transfer email client information
Various X-header information added by different SMTP server and email clients during the whole email sending process.

A simple DNS lookup after finding the source ip (26.126.148.104 in this case) will reveal the server location, as one can see in the image as well.

Broad steps in Email Forensics for the Investigator

Email Client Forensics

Email Computer Forensics

Window Search Index: There will be time when emails files are scattered and when doing search in Gigabytes of data it becomes hard to locate all the emails. When performing email computer forensics the investigator can use the Window Search Index features to locate the email files. Window search index maintains a record any document/application on the computer including the content of the files hence with right keyword and file type search you will be able to locate all the emails indexed by Windows Search instantly.

Windows search will greatly help in computer forensics of email as you can sort the document type that you are interested in KWs you are looking for and extension to search. By combining all the parameters you will be able to easily get all the email that exists within the disk/drive.

Network Status: Almost all laptop/Desktop comes with pre-installed NIC Cards (Network interface cards) and provides interface to the host machine with the outside world (network) and can play significant role in email forensics. Many web based email service provider records the IP address of the originating system from where the email was composed and dispatched to the receiver. Ipconfig command will help you to locate all the NICs on the computer.

Parsing Process Memory: Processor memory (RAM) also holds key information and one might get useful information such as IP and email addresses if one is able to parse through the content of RAM Dump.

Internet Explorer: During your forensic search for emails in computer system you can use the data stored by internet explorer to know a bit or two about the emails such as which email provider the user usually logins to and most frequently site visited.

Memory Forensics for email artifacts recovery

You can track and map user's activities via the memory artifact created by the operating system or application (outlook for instance) that will give you hold on some of the exclusive evidence that you otherwise would not find. One can find some of these data in the memory:

Unencrypted e-mail messages
Private email structure
Mapped files
Internet history records that usually does not get cached by the browser.
Content processed by the application

Though the majority of critical component you will find in the data you collected that reside in the persistent storage medium, you will be able to capture invaluable evidence to reconstruct the event.

Crime Committed via Email

Ease, speed and relative anonymity of email makes it lucrative option for committing crimes for the criminals. Email crimes can be broadly divided into two main categories:

Crimes that are committed by sending an email, such as:

Email Spamming: In simple term it can be defined as sending unsolicited emails. Email Spammers generally obtains the email ids from webpages, DNS listing and every other possible source and send unsolicited emails to the gathered email database.
Mail Bombing: The primary intension of mail bombing is to cause denial-of-service attack to the victim by sending huge volumes of emails to the victim's mailbox/server to crash down.
Phishing: It is criminal act of sending an unsolicited and illegitimate email falsely claiming to be from legitimate site/company in order to win the victim's trust and acquire their personal/account information by redirecting them to fake webpages of the trustworthy sites and asking them to input the data.
Email Spoofing: is the act of forging the email header so that the message appears to originate from source other than the actual source. The perpetrator might attach Trojan, virus or warm files as attachments file in the email.
Email Sphere fishing: In this email fraud the perpetrator will ask for confidential and sensitive information. This type of attack resembles with e-mail spoofing fraud but in here in almost all cases the sender is someone trustworthy with an authoritative position in the organization.

Example of Email Sphere fishing asking the victim to input sensitive information

If you suspect the email is of Sphere fishing type then you can use the following email fields to gain information:

From and Reply-To Field
Subject Line
Unique Message ID (ESMTP)
URL (if any) the email is prompting the user to visit, this url will also revel the domain the perpetrator used to lure the victim. Check the Whois for further information.
Received Field to identify the originating IP address or at least the SMTP server of the sender.

Laws Against Email Crimes