What information relevant to a forensic investigation can be extracted from an email header?
Email forensics is dedicated to investigating, extracting, and analyzing emails to collect digital evidence as findings in order to crack crimes and certain incidents, in a forensically sound manner. Show
The process of email forensics, it’s conducted across various aspects of emails, which mainly includes
To deeply and overall investigate the above crucial elements of email, potential clues are going to be obtained to help push the progress of a criminal investigation. Hence, knowing how to conduct scientific and effective email forensics has come into account. But before diving deep into practical email forensics, without a full understanding of the operation and theory of emails themselves, the forensic work is likely to be stuck. How Email works?Just like other digital forensics technology, it’s not easy to conduct forensics without understanding the basis of the underlying technologies. Commonly speaking, a man writes an email on his digital device, maybe a phone or computer, and then sends it to the one he wants to. Though it’s seemingly the man has finished his work, the upon email processing work just starts in order to successfully and correctly be delivered to the recipient. When an email is sent out, countless servers are actually undertaken the whole information of the email before it can really arrive in the recipient’s inbox, which is said that we have to understand what’s proceeding after we click the “send” button. Email Programs and ProtocolsDuring the process, there are 3 protocols and 3 email programs tightly related and are vital to be known.
The theory of email runningLet’s take an example below for instance to better explain the theory of email running.
At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet Server Provider)’s a mail server and forwarded to your domain. What will happen next? Considering different network configurations, it is very likely that the mail will be transferred to another MTA during the transmission process, but eventually, an MTA will take over the mail and be responsible for delivery. The main function of the MDA is to save the mail to the local disk. Specific MDAs can also be developed with other functions, such as mail filtering or direct mail delivery to other file locations. Thus, it should be noted that it is MDA that completes the function of storing mail on the server.
Running MUA, you can use the IMAP protocol or POP3 protocol to query the mail server for your mail. The mail server first confirms your identity, then retrieves the mailing list from the mail store and returns the list to the MUA. Now you can read the message. Message location of an emailEven if we know the running theory of emails, it’s recommended to be noted that different configuration on the recipient’s email client varies the copies of the message to be saved. Additionally, any server that sends a message from a party to a recipient can keep a copy of the email. With the above root principle, it’s going to equip your initial ideas before conducting your email forensics investigation. How to conduct Email Forensics investigation?With the increasing popularity of the use of email based on the boom of the internet, some typical crimes are tied to email. For instance, financial crime, cyber security, and extortion software, to name a few. To bring the criminals to justice, it’s crucial to look into investigative emails. Before we can dive into the major investigative extraction working directions of email forensics, be noted:
Viewing and Analyzing E-mail HeadersThe primary evidence in email investigations is the email header where massive and valuable information could be found. When carrying out the analysis, you’d be advised to get started from the bottom to the top, since the most crucial information from the sender would be on the bottom while information about the receiver would be on the topmost. Since we already talked about MTAs where you could find out the route of the email transferred, it should be good for you to give it a detailed scan of the email header. Here’s a sample for your information: If you’re still not familiar with the fields, check the below explanations:
The main piece of information you’re looking for is the originating e-mail’s domain address or IP address. Other than that, helpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it’s supplied. Give all of them a complete analysis before you move to the next step. Email Server InvestigationTo locate the source of an email, it’s required to investigate the email’s servers. Since it’s not surprising criminals tend to delete their emails in case of being caught or accused of sensitive emails. However, there is still a chance to get them back. In extreme cases, even though both emails have been deleted from both sides between senders and recipients, a copy might be still on the server, since there is always retention on the server after the email is successfully delivered each time due to specific government regulations for email. Whereas, you don’t want to miss out on investigating the log before it is archived after a certain period. For your better work implementation, take below most popular email server software under consideration:
Network DevicesIf there is no log from the email server due to various reasons, for instance, incorrect configuration on the email server, another approach is worth trying, which is the network service. In certain cases, an internet service provider (ISP) or any other communications network stores an email. Therefore, investigators are recommended to examine the network devices such as routers and there might be chances for some clue of the source of an email. Software embedded identifiersWhen looking deep enough at the email software, a higher level analysis of the extra information on it comes into account. Actually, information about the sender and attached files could be found sometimes in an email when you technically examine it, since in most cases, the senders tend to customize their header under Multipurpose Internet Mail Extensions (MIME) with a Transport Neutral Encapsulation Format(TNEF). Attachment AnalysisAs is known to us all, sometimes, our computer gets infected when we surf the Internet and open specific files. To cause the issue, viruses and malware are most skeptical. When it comes to emails, it’s also very common for a problematical attachment to be found and thus it’s really worth investigating the attached files. However, if the files happened to be deleted, you’re suggested to consult with a digital forensic agency or use a data recovery tool like DRS to recover them so that you could better examine every piece of them. After the attachment’s retrieval, you’d better analyze those suspicious files under a sandbox environment in case the file is malware and do harm to your computer. Bulk Email ForensicsSignificant mailbox collections tend to be examined, analyzed, and used as proof in legal instances. Therefore, legal experts have to work with large mailboxes in many circumstances. Most email service applications, like Perspective and Gmail, give a dashboard embedded with several valuable functions. However, you might not get the desired results by only using keywords in the interface. Day and time are two attributes of emails considered necessary if they are produced as evidence related to an instance. Also, email messages can be forged like physical documents, and hackers may tamper with these attributes. Moreover, since an email doesn’t directly reach the receiver to the sender, recording its actual way with accurate timings is a challenging aspect. MD5 and SHA1 Hash ValuesMD5 and SHA1 would be the two most crucial hashing algorithms utilized by digital forensics professionals since it’s standard practice to make use of MD5 and SHA1 hashing algorithms in email forensics brought on. These algorithms enable forensic investigators to aid digital evidence as soon as they acquire this until it finally is created in a courtroom of law. One more reason why hash values are crucial is usually that electronic documents are shared with legal professionals and various other parties in the analysis. Therefore, making certain every person has identical replicates of the data files is vital. Consider how many places an email may well be saved. This could be preserved on the sender’s equipment, around the recipient’s machine, on either the sender’s or recipient’s email server, or both, and in backup media with regard to either server. In the event that you consider the many places the email could stay, that should indicate to you that that is rare for an email is usually ever truly deleted. It may always be quite difficult to get, yet it probably is out there somewhere. This is definitely one of the reasons for this why email forensics is so important. One will need to sign into the e-mail support in order to be able to analyze emails. Google mail and similar services do not provide any kind of mechanism to access a message if that has been wiped from the trash folder. In that circumstance, it’s likely not possible to be covered. In some cases, some sort of subpoena can be issued to the service agency, and it Tracing EmailJs code tracking To better locate or identify a suspect email address, it’s important to attract the suspect to open a trackable email. Across cases like kidnapping and murder, it’s commonly used to identify criminals. By inserting a specific J.S code along HTTP: “img sr” tag on an image within the body of your email, it’s going to be able to record at least the IP address after the suspect clicks the image, especially when the location of a suspect or cybercriminal is unknown. Traced information identify When acquiring tracking information, it’s no doubt to identify the information in hand to look for some clues that will benefit your forensic investigation in a way. Below is the manual method for IP address identification where you could figure out detailed information about the IP’s owner. Smart Email Forensic Investigation SuggestionsWhenever there are suspects coming to you, you’re bound to be monitoring their activities. As an example, administrators might obtain security checks by collaborating with an employee who definitely seems to be disgruntled or that has access to sensitive information. This employee’s email logs and network use may, for example, show the puppy sending innocent family images to a Hotmail account, but no traffic heading back from that Hotmail account. These kinds of seemingly innocent pics might carry steganographically hidden messages, and so provide proof of the employee’s part in corporate espionage. Forensic email doing a trace is similar to traditional gumshoe investigator work, which involves looking at each point through which an email passed. An individual works comprehensively back to the beginning computer and, eventually, the perpetrator. Correctly manage the email forensic evidenceDigital evidence in the form of email data can be crucial in civil and criminal cases. However, be sure it is extracted in the correct manner using email forensics. Final ThoughtEmail forensics refers to analyzing the source and content of emails as evidence, though the actual investigation of email-related crimes and incidents involves various approaches. They do so in a forensically sound manner to correctly examine header data of all messages of interest to the investigation, scientifically decode any available extracted information after your tracked suspects return what benefits your case, and correctly finalize your email forensic investigation. What information can be obtained from the header of an email?An email header tells who sent the email and where it arrived. Some markers indicate this information, like “From:” — sender's name and email address, “To:” — the recipient's name and email address, and “Date:” — the time and date of when the email was sent.
Why are email headers important in forensics?Since criminals often forge messages to avoid detection, email forensics experts need to perform email header analysis to extract and collect crucial evidence. Email headers contain vital information about the path that the message has traversed before reaching its final destination.
How can email be traced for forensic purposes?Email forensics is the study of source and content of email as evidence to identify the actual sender and recipient of a message along with some other information such as date/time of transmission and intention of sender. It involves investigating metadata, port scanning as well as keyword searching.
What are the 7 important information of the header in an email?Header Characteristics
From: sender's name and email address (IP address here also, but hidden) To: recipient's name and email address. Date: sent date/time of the email. Subject: whatever text the sender entered in the Subject heading before sending.
|