In this era of digitalization, email emerges as the most widely used method to communicate and transfer the data. The rapid growth in email communication also leads to the expeditious growth in the crimes through email communication. Due to this, security is one of the concerning factors which needs to be taken care of.
With the help of this write-up, we will discuss top digital forensic investigation techniques. This will help an investigating officer to examine and identify the crimes that occurred through the email. Nowadays, email crimes take place in various forms; this makes the detection of these crimes a very difficult task during the investigation process. The digital investigation tools enable the investigating officers to perform email header forensics. Moreover, the primary aim is to discover the history of a message and the identity of all entities associated with the message. Additionally, this study also focuses on the investigation of metadata, port scanning, etc. for authorship attribution and identification of email scams.
Do You Know Why Digital Forensic Investigation is Important?
Currently, cybercrime is an increasing danger. Cybercriminals spoof email messages to accomplish illegal activities via email system and remain silent to save themselves during an email forensics investigation. The illegitimate activities include:
Abuses like spamming, phishing, cyberbullying, child pornography, racial vilification etc.
Misuse by transmission of virus, worms, trojan horses, and other malicious programs with an intent to spread them over the internet etc.
Let Us Check Out Some Important Digital Forensic Investigation Techniques
Following are the different digital forensic investigation techniques that will help to detect the email crime.
The aim of this digital forensic investigation process is to extract and copy the IP address of the culprit. In the bait tactic scenario, an email with HTTP: “<img src=””>” tag will be send to the email address which is under examination. The email with an image tag will have some image source at some computer that is supervised by the investigators. After that, when the email is opened, a log entry containing the IP address of the recipient is recorded on the HTTP Server hosting the image. This results in the tracking of the sender.
However, if the recipient is using a proxy server, then the IP address of the proxy server is recorded. The log on the proxy server can be used for forensic email tracking of the sender in digital forensic investigation methods. Due to some reasons, if the proxy server’s log is unavailable, then investigators may send the tactic email containing: Embedded Java Applet that runs on the receiver’s computer or an HTML page with Active X Object. This will extract the IP address of the receiver’s computer and email it to the investigators.
It is another procedure that is used to examine the copies of delivered emails and server logs to identify the source of an email message. The deleted or accidentally removed emails from the client’s mailbox can be extracted back from the servers. As most of the servers (Proxy or ISP) store a copy of all emails after their deliveries. Further, logs maintained by the servers can be analyzed to trace the system’s address, which is responsible for making email transactions. The server examination is very useful to identify the source of the email message.
However, copies of email and server logs are stored by the servers only for a limited time period. Moreover, SMTP servers which store data like credit card number and other data pertaining to the owner of the mailbox can be used to identify the person behind an email address.
Network Device Investigation
This investigation involves all the logs maintained by the network devices. This includes routers, firewalls, and switches that are used to investigate the source of an email message. Basically, this type of digital forensic investigation techniques is complex and used only when the logs of servers are not available due to some reasons.
Software Embedded Identifiers
Information associated with the email creators, attached files, or documents, which is included in the email message. It can be used by the sender for composing the email. Now, this information can be present in the form of a custom header or MIME content as a Transport Neutral Encapsulation Format (TNEF). Analyzing email for these details in email digital forensics may reveal some important information related to the sender’s email preferences and the options that could help client-side evidence gathering. This digital forensic investigation method can reveal PST file names, Mac address, Windows login username, etc. of the client’s computer, which is used to send an email message.
Sender Mailer Fingerprints
The information related to software that handles the email files at the server can be revealed from the Received header field. Additionally, identification of software handling email at the client can be discovered by using the various set of the header like ‘X-Mailer’. These headers describe applications and their version used at the clients to send the email. This information about the sender’s client computer can be used to help investigators create an effective plan.
Email Header Forensics
This is one of the most common digital forensic investigation techniques used by the investigators to identify the culprit. A normal email structure can be defined as an envelope and header with data. Envelop means the body content of the email with attachments. Moreover, the headers of the message body contain information related to the sender or the path along which the message has traveled, etc. Sometimes, criminals spoof the metadata information to conceal the identity of the sender. Thus, a detailed analysis of header data during the email header forensics help the investigator to find evidence.
How to Examine Email Message Header Data?
Here, we are going to perform an in-depth analysis of the email message header with the help of a table given below. This digital forensic investigation process will help you to understand more about the email header data.
via a4.b4.c4.d4; Tue, 30 Nov 2010 07:36:34 -0800
(mta1294.mail.mud.bob.com: domain of email@example.com does not
designate permitted sender hosts)
from=alice.com; domainkeys=neutral (no sig); from=alice.com;
dkim=neutral (no sig)
127.0.0.1 (EHLO mailbox-us-s-7b.tariq.com) (a2.b2.c2.d2) by
mta1294.mail.mud.bob.com with SMTP; Tue, 30 Nov 2010 07:36:34
MTBLAPTOP (unknown [a1.b1.c1.d1]) (Authenticated sender:
firstname.lastname@example.org) by mailbox-us-s-7b.tariq.com (Postfix) with
ESMTPA id 8F0AE139002E for ; Tue, 30 Nov 2010 15:36:23 +0000 (GMT)
A sample header set of an email message, which is sent by email@example.com pretending to be firstname.lastname@example.org and sent to email@example.com is shown in the table mentioned above. In this email sender’s address, date, reply, and various other fields have been spoofed. On examination of identities such as domain name, IP address, etc. it was revealed that servers used in the email sending process have been edited. The following header set shows the information present in the various headers of the message.
Header X- Apparently-To: It is relevant when the email has been sent as a “BCC” or to recipients of some mailing list. In most cases, this field contains the address as in the “To” field. However, when the email has been sent to a “BCC” recipient or mailing list, then X-Apparently-To is different from the “To” field.
Thus, X-Apparently-To always shows the email address of the recipient, irrespective of the mail has been sent using To, Bcc, Cc addresses or by using some mailing list.
Received -SPF: It is the value which specifies that the email has arrived from a domain which either does have an SPF record or is not yet a designated permitted sender.
Return- Path Header: It is the email address of the mailbox specified by the sender in the MailForm command. If no authentication mechanism is in place at the sending server then this address can also be spoofed.
X-Spam-Ratio: MUA is contained in the X-Spam-Ratio field or the spam score is calculated by the spam filtering software of the receiving server. Email is classified as spam when the ratio exceeds a certain pre-defined threshold.
X- Originating-IP: This reflects the IP address of the last MTA of the sending SMTP server, which has delivered email to the server of firstname.lastname@example.org.
X- Sieve Header: It defines the name and version of the message filtering system. Basically, it refers to the scripting language used to specify conditions for message filtering and handling.
X-Spam-Charsets: This field specifies the character set used for filtering the messages.
X- Resolved-To: It is the email address of the mailbox to which the email has been delivered by MDA of bob’s server.
X- Mail- From Header: The field specifies the email address of the mailbox specified by the sender in the MailFrom command.
Authentication-Results Header: It shows that mta1294.mail.mud.bob.com received mail from alice.com domain which does not have DomainKeys signature and DKIM signature.
Received Header Field (12): This field contains the trace information which indicates 127.0.0.1 as the IP address of the machine that sends the message.
Received Header Field (13): It represents the trace information indicating MTBLAPTOP as the name of the machine that sends the message.
From, Subject and To: These fields reflect the email address of the author, message subject and the email address of the recipient.
Content-Type, MIME-Version, Content-Transfer-Encoding, and Content-Length: The MIME header describes the type of MIME content, transfer encoding, its version, and length.
Reply-To: It is an arbitrary address that is associated with some random user who may not be related to the sender in any way.
Organization Header: This field is an information field that shows the sender’s organization.
Date Header: It shows the date on which email was composed and submitted for delivery.
Return-Receipt-To: This indicates the email address, MSA, MTA and MDS which is used for sending delivery notifications.
Disposition-Notification-To: This field reflects email address and MUA used while submitting a message indicating that the message has been displayed.
Message ID: It is formed when a domain name is appended with a unique number by sending server.
Follow the digital forensics investigation procedure given in the above section to implement the investigation process in an effective yet smart way.
Now, You Must Be Thinking About:
Best Digital Forensic Investigation Software: Dig In Here!
Many Investigators depend on digital investigation tools to investigate the case and extract the evidence. One of the most versatile and reliable Email Examiner Software to carry out the forensic examination of emails is MailXaminer. The software enables an investigating officer to perform email analysis with speed, ease, and accuracy. It is integrated with amazing features which helps to examine the email file in different preview modes.
Investigators can effortlessly perform digital forensic investigation techniques such as email header forensic by availing this feature-rich tool. MailXaminer tool is definitely a smart utility for all the forensics examiners who need to handle and work with their case in a seamless manner.
Email Forensics is Not Less Than a Deep Blue Sea!
When it comes to performing the digital forensic investigation then it is not everyone’s cup of tea. The people who deal with Cybercrime or Digital Forensics Cases are specialized as Forensic Examiner/Investigator.
Still, to deal with complex cases and get accurate evidence, the forensic investigators have to depend on various digital investigation tools to thoroughly implement the investigation process in a seamless manner. The prime aim of the forensics search is to carve out evidence and identify the culprit.
Thus, in the above section, we have explained all the major digital forensic investigation techniques that may help the investigators to perform the examination in a trouble-free way and the procedure to analyze header data in email header forensics.