Learn all the steps necessary for the email forensics purpose. With right tool and method the investigation will become easy.
Email has become the primary source of communication and almost everyone who owns a computer sends or receives emails on regular basis. One can imagine how email has become core part of communication with the fact that close to 3 million messages are sent every single second. Such widespread email penetration has resulted in various misuse of the technology. People with malafide intention use emails to commit the crime.
This article will illustrate possible ways to perform e-mail forensics to recover and analyze and trace back the email to the sender. Your goal during the email forensics investigation is to find out the crime committed or willfully violation of company policies. There are various clues that you can get to connect the dot and nail the culprit.
SMTP Server: Stands for Simple Mail Transfer Protocol and the primary task that it performs are:
POP3 Server: It is an incoming mail server that helps the user to RECEIVE the email residing in its e-mailbox.
IMAP Server: Incoming mail Server exhibits same functionality as of POP based server but retain copy of email even after user downloads the email.
SMTP Protocol Commands (Client-Server interaction)
SMTP protocol governs the email system language [as specified in RFC2821]. The process of SMTP client [application (MS Outlook)/webmail (Gmail)] making a request to SMTP Server (e.g. MS Exchange) and the server responding back to the request with acknowledgment code.
Note: SMTP Server becomes SMTP client when it transmits email to other SMTP server.
The protocol commands for REQUEST are:
Some common SMTP Protocol RESPONSE codes that are returned for the REQUEST made
Email header plays a crucial role in identifying the sender of an email. Many fields can be forged within the header part but it still gives enough information about the sender. The investigator upon performing the email header forensics will able to identify the following:
Other information in the email header that indirectly will help you during the forensics process:
Header contains several lines of header information also known as fields. Each field itself is divided into three components.
The header fields in general are written from bottom to top hence the best way for the email forensics investigator is to analyze all those fields from bottom to top. So whatever is done initially by the sender's client/server during the composition and sending of email those fields will be located at the very bottom of the header part of the concerned email.
Forensics of Email Metadata information
The Email forensic investigator can use several header fields to trace the email but it can be broadly categorized into the following area of interest the investigator should look into:
A simple DNS lookup after finding the source ip (18.104.22.168 in this case) will reveal the server location, as one can see in the image as well.
Email clients such as Outlook, Entourage are standalone applications installed on users computer designed to send, receive and organize emails.
Some example of Email Clients:
Some Example of Web Based Email Clients
Standalone Email Applications Examples
Window Search Index: There will be time when emails files are scattered and when doing search in Gigabytes of data it becomes hard to locate all the emails. When performing email computer forensics the investigator can use the Window Search Index features to locate the email files. Window search index maintains a record any document/application on the computer including the content of the files hence with right keyword and file type search you will be able to locate all the emails indexed by Windows Search instantly.
Windows search will greatly help in computer forensics of email as you can sort the document type that you are interested in KWs you are looking for and extension to search. By combining all the parameters you will be able to easily get all the email that exists within the disk/drive.
Network Status: Almost all laptop/Desktop comes with pre-installed NIC Cards (Network interface cards) and provides interface to the host machine with the outside world (network) and can play significant role in email forensics. Many web based email service provider records the IP address of the originating system from where the email was composed and dispatched to the receiver. Ipconfig command will help you to locate all the NICs on the computer.
Parsing Process Memory: Processor memory (RAM) also holds key information and one might get useful information such as IP and email addresses if one is able to parse through the content of RAM Dump.
Internet Explorer: During your forensic search for emails in computer system you can use the data stored by internet explorer to know a bit or two about the emails such as which email provider the user usually logins to and most frequently site visited.
You can track and map user's activities via the memory artifact created by the operating system or application (outlook for instance) that will give you hold on some of the exclusive evidence that you otherwise would not find. One can find some of these data in the memory:
Though the majority of critical component you will find in the data you collected that reside in the persistent storage medium, you will be able to capture invaluable evidence to reconstruct the event.
Ease, speed and relative anonymity of email makes it lucrative option for committing crimes for the criminals. Email crimes can be broadly divided into two main categories:
Crimes that are committed by sending an email, such as:
If you suspect the email is of Sphere fishing type then you can use the following email fields to gain information: