Techniques of email forensic investigations

E-mail forensics

E-mail forensics refers to the study of source and content of e-mail as evidence to spot the actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. This study involves investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Various approaches that are used for e-mail forensic are described in and are briefly defined below:

Header Analysis

Meta data within the e-mail message within the sort of control information i.e. envelope and headers including headers within the message body contain information about the sender and/or the trail along which the message has traversed. a number of these could also be spoofed to hide the identity of the sender. an in depth analysis of those headers and their correlation is performed in header analysis.

Bait Tactics

In bait tactic investigation an e-mail with http: tag having image source at some computer monitored by the investigators is send to the sender of e-mail under investigation containing real (genuine) e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient (sender of the e-mail under nvestigation) is recorded on the http server hosting the image and thus sender is tracked. However, if the recipient (sender of the e-mail under investigation) is employing a proxy server then IP address of the proxy server is recorded.
The go online proxy server are often wont to track the sender of the e-mail under investigation. If the proxy server’s log is unavailable thanks to some reason, then investigators may send the tactic email containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page with Active X Object. Both getting to extract IP address of the receiver’s computer and e-mail it to the investigators.

Server Investigation

In this investigation, copies of delivered e-mails and server logs are investigated to spot source of an e-mail message. E-mail forensic purged from the clients (senders or receivers) whose recovery is impossible could also be requested from servers (Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further, logs maintained by servers are often studied to trace the address of the pc liable for making the e-mail transaction. However, servers store the copies of e-mail and server logs just for some limited periods and a few may not co-operate with the investigators. Further, SMTP servers which store data like mastercard number and other data concerning owner of a mailbox are often wont to identify author an e-mail address.

Network Device Investigation.

In this sort of e-mail forensic investigation, logs maintained by the network devices like routers, firewalls and switches are wont to investigate the source of an e-mail message. this type of investigation is complex and is employed only the logs of servers (Proxy or ISP) are unavailable thanks to some reason, e.g. when ISP or proxy doesn’t maintain a log or lack of cooperation by ISP’s or failure to take care of chain of evidence.

Software Embedded Identifiers.

Some information about the creator of e-mail, attached files or documents could also be included with the message by the e-mail software employed by the sender for composing e-mail. This information may be included within the sort of custom headers or within the sort of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that would help client side evidence gathering. The investigation can reveal PST file names, Windows logon username, MAC address, etc. of the client computer wont to send e-mail message.

Sender Mailer Fingerprints.

Identification of software handling e-mail at server are often revealed from the Received header field and identification of software handling e-mail at client are often ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender are often wont to help investigators devise an efficient plan and thus convince be very useful.

Reference: INFOSAVVI

Subscribe to our channel and do not miss new collections of tools in various areas of Information Security.

  Posted by: @ESPYER

5 social monitoring tools great for OSINT

5 Social Media Monitoring Tools

In this article we’ll talk about the following social monitoring tools:
Hootsuite, Brand24, Mention, Sprout Social, Synthesio.
For each of these we’ll know the main benefits of using it, as well as reason to chose another tool, based on your needs! Here goes 🙂

Read More »
OSINT Investigating questions

OSINT for Businesses: A Guide to Conducting Due Diligence and Intelligence Investigations

In this article, we’ll explore how businesses can use OSINT techniques to gather information and conduct due diligence and intelligence investigations.

Open-source intelligence (OSINT) is the process of gathering information from publicly available sources to support decision-making and informed action.

For businesses, OSINT can be a valuable tool for conducting due diligence and intelligence investigations, providing a wealth of information on potential partners, competitors, and threats.
However, with the increasing use of artificial intelligence (AI) in online investigations, it’s important to know how to gather information while avoiding detection.

Read More »


A Revolutionary API to Check If Your Personal Information is Compromised.
Are you tired of constantly worrying about your personal information being compromised? Well, let me introduce you to ProfileNINJA, a one-of-a-kind API service listed on the RapidAPI marketplace.

ProfileNINJA takes the hassle out of checking if your personal information has been leaked by searching through databases linked to popular social media platforms like Twitter, Facebook, VK, Instagram, Telegram, and LinkedIn.

Read More »

People Data Lookup API

People Data Lookup API on RapidAPI is a service that allows users to search and retrieve information about individuals using phone number, email address, password, or full name. The API offers accurate and updated information that can be used for various purposes such as fraud detection, verification, and customer engagement. The service is accessible through RapidAPI, a platform that connects developers with over 16,000 APIs.

Read More »


With Shodan Exploit, you will have all your calls on your terminal. It also allows you to make detailed searches.
All you have to do without running Shodansploiti is to add shodan api.

Read More »