Techniques of email forensic investigations

E-mail forensics

E-mail forensics refers to the study of source and content of e-mail as evidence to spot the actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. This study involves investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Various approaches that are used for e-mail forensic are described in and are briefly defined below:

Header Analysis

Meta data within the e-mail message within the sort of control information i.e. envelope and headers including headers within the message body contain information about the sender and/or the trail along which the message has traversed. a number of these could also be spoofed to hide the identity of the sender. an in depth analysis of those headers and their correlation is performed in header analysis.

Bait Tactics

In bait tactic investigation an e-mail with http: tag having image source at some computer monitored by the investigators is send to the sender of e-mail under investigation containing real (genuine) e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient (sender of the e-mail under nvestigation) is recorded on the http server hosting the image and thus sender is tracked. However, if the recipient (sender of the e-mail under investigation) is employing a proxy server then IP address of the proxy server is recorded.
The go online proxy server are often wont to track the sender of the e-mail under investigation. If the proxy server’s log is unavailable thanks to some reason, then investigators may send the tactic email containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page with Active X Object. Both getting to extract IP address of the receiver’s computer and e-mail it to the investigators.

Server Investigation

In this investigation, copies of delivered e-mails and server logs are investigated to spot source of an e-mail message. E-mail forensic purged from the clients (senders or receivers) whose recovery is impossible could also be requested from servers (Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further, logs maintained by servers are often studied to trace the address of the pc liable for making the e-mail transaction. However, servers store the copies of e-mail and server logs just for some limited periods and a few may not co-operate with the investigators. Further, SMTP servers which store data like mastercard number and other data concerning owner of a mailbox are often wont to identify author an e-mail address.

Network Device Investigation.

In this sort of e-mail forensic investigation, logs maintained by the network devices like routers, firewalls and switches are wont to investigate the source of an e-mail message. this type of investigation is complex and is employed only the logs of servers (Proxy or ISP) are unavailable thanks to some reason, e.g. when ISP or proxy doesn’t maintain a log or lack of cooperation by ISP’s or failure to take care of chain of evidence.

Software Embedded Identifiers.

Some information about the creator of e-mail, attached files or documents could also be included with the message by the e-mail software employed by the sender for composing e-mail. This information may be included within the sort of custom headers or within the sort of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that would help client side evidence gathering. The investigation can reveal PST file names, Windows logon username, MAC address, etc. of the client computer wont to send e-mail message.

Sender Mailer Fingerprints.


Identification of software handling e-mail at server are often revealed from the Received header field and identification of software handling e-mail at client are often ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender are often wont to help investigators devise an efficient plan and thus convince be very useful.

Reference: INFOSAVVI

Subscribe to our channel and do not miss new collections of tools in various areas of Information Security.

  Posted by: @ESPYER

More Articles

Finding the right solution

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Skip to content