Forensic investigation of emails refers to deeply study the source and content residing in the emails. The study involves identification of the actual sender and recipient of the concerned emails, timestamp of the email transmission, intention of mail, record of the complete email transaction. Investigation of emails proves to be utile in incidents such as email abusing, email phishing, email scams and such other cases where email usage is defamed. Parts of email investigation includes keyword search, metadata investigation, scanning of port, etc.
Techniques For Email Investigation
The various techniques that are deployed in order to perform an efficacious and seamless email investigation are given below:
1) Email Header Analysis
Header analysis is done in order to extract the information regarding the sender of the mail and also the path through which the email has been transmitted. Usually, the metadata of emails is stored in the headers. At times, these headers may be tampered in order to hide the true identity of the sender.
2) Bait Tactics
It is the process to track the IP address of the sender of a particular mail under investigation. In this technique, a mail containing a http: “$lt;img src>” tag is sent to the mail address from which the mail has been received. The recipient in this case is the culprit. When the mail is opened, a log containing the IP address of the recipient is captured by the mail server that is hosting the image and the recipient is tracked. In case the recipient is using a Proxy server, the address of the proxy server gets recorded.
3) Extraction From Server
Server investigation comes handy when the emails residing on the sender and receiver ends have been purged permanently. Since servers maintain a log of the sent and received emails, the log investigation will generate all the deleted emails. Furthermore, the logs can give the information of the source from which the emails have been generated. Server investigation does not mean that all the purged emails can be extracted. This is because after a certain retention period, the emails are deleted permanently from a server.
4) Investigation of Network Sources
This investigation is opted for, when the server logs fail to generate the required information. Also, if the Internet Service Providers do not give access to the server, investigation of network sources is opted. The logs generated by network hubs, routers, firewalls, etc. give information about the origination of the email message.
Popular Tools Deployed For Email Investigation
There are a number of email investigation tools available, that assist in the complete investigation process. These tools generate automated reports of the investigation, identifies the origination and the destination of emails and much more. Some of the tools which are a part of this domain are:
EnCase enables the investigators to perform imaging of the drive and preserve it in the E01 format, that can be investigated forensically and also can be presented in the court as evidence.
Forensic Toolkit is a comprehensive investigation tool known for the forensic investigation of emails through decryption in emails.
MailXaminer is an advanced email investigation tool that supports more than 20 email formats and around 750 MIME formats. The tool is equipped with great features like:
- Advance search for keywords
- Link analysis of emails
- Skin tone analysis
- Live Exchange Mailbox analysis and many more.
The tool carves out evidence in the most efficacious way and generates a complete evidence report.
Right techniques and tools if used in the forensic investigation of emails carve out potential evidence in a very short duration of time. Therefore in order to perform an advanced email investigation deployment of the right tool is necessary.
What people are saying
Informative post, I guess I’m a bit unaware of this subject and I must say I’ve learned some great info from this post.
Thanks for sharing.
Excellent article. Always good to learn more about dealing with email related offenses.
This is very informative. Thanks for the share.