Email forensics may be a branch of digital forensic science that focuses on investigation of emails to gather digital evidence for crimes and incidents. It comprises in-depth & systematic examination of emails, especially aspects like message transmission routes, attached files and documents, IP addresses of servers and computers, etc.
Email forensics professionals use a number of the subsequent common techniques to look at emails and collect digital evidence:
1. Email Header Analysis
Email headers contain important information including name of the sender and receiver, the trail (servers and other devices) through which the message has traversed, etc. a number of the important email header fields are highlighted below.
Sample email header
The vital details in email headers can help investigators and forensics experts in email investigation. as an example , the Delivered-To field contains email address of recipient and therefore the Received-By field contains last visited SMTP server’s IP address, its SMTP ID, and therefore the date and time at which the e-mail is received. Similarly, the Received: from field may provide key details like IP address of sender and host name. Such information are often instrumental in identifying the culprit and collecting evidence.
Also Read: Cyber Crime Investigation : Tools and Techniques
2. Email Server Investigation
Email servers are investigated to locate the source of an email. If an email is deleted from client application, sender’s or receiver’s, then related ISP or Proxy servers are scanned as they typically save copies of emails after delivery. Servers also maintain logs which will be analyzed to spot address of the pc from which the e-mail is originated.
It’s worth noting that HTTP and SMTP (common messaging initiation protocol) logs are archived frequently by large ISPs. If a log is archived then tracing relevant emails can take tons of your time and energy , because it requires decompressing and extraction techniques. So, it’s best to look at the logs as soon as possible lest they’re archived.
3. Investigation of Network Devices
In some cases, logs of servers aren’t available. this will happen thanks to many reasons like when servers aren’t configured to take care of logs or when an ISP refuses to share the log files. In such an occasion , investigators can ask the logs maintained by network devices like switches, firewalls, and routers to trace the source of email message.
4. Sender Mailer Fingerprints
X-headers are email headers that are added to messages along side standard headers like Subject and To. These are often added for spam filter information, authentication results, etc. and may be wont to identify the software that’s handling the e-mail at the client like Outlook or Opera Mail. X-originating-IP header are often wont to find the first sender, i.e. IP address of the sender’s computer.
5. Software Embedded Identifiers
Sometimes, the e-mail software employed by a sender can include additional information about the message and attached files within the email. It are often found in MIME content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth analysis of those sections can reveal vital details associated with sender like MAC addresses, Windows logon username of the sender, PST file names, and more.
6. Bait Tactics
Bait tactic is an email investigation technique that’s used when the situation of a suspect or cybercriminal is unknown. In this, the investigators send an email that contains a http:
Topic related Questions
This Blog Article is posted by
Infosavvy, 2nd Floor, Sai Niketan, Chandavalkar Road Opp. Gora Gandhi Hotel, Above Jumbo King, beside Speakwell Institute, Borivali West, Mumbai, Maharashtra 400092
Contact us – www.info-savvy.com
