In this modern era, email emerges as the most widely used method to communicate and transfer the data. The rapid growth in email communication also leads to the expeditious growth in the crimes through email communication. Due to this, security is the major issue phasing in this area. In this blog, we are going to discuss top Digital forensic investigation techniques that help the investigator to examine and identify the crimes occurred through the email. The Digital investigation tools help the investigators in email header forensics. That mainly aims to discover the history of a message and the identity of all entities associated with the message during the investigation. Moreover, this study includes investigation of metadata, port scanning etc. for authorship attribution and identification of email scams.
Nowadays, Cybercrime is occurring very frequently. Basically, Cybercriminals spoof email messages to accomplish illegal activities via email system and remain underground to save themselves from any possible legal during an
All such use of email can lead to various technical issues like misuse of storage space, wastage of computational resources, and network conjunction. Follow these digital forensic investigation process in the bellow section to deal with digital crimes
Now, you must be aware of the digital Forensics concept and its importance. Moving further, in this section, we are going to discuss some digital forensic investigation techniques used for detecting email crimes.
This digital forensic investigation process aim is to extract and copy the IP address of the culprit. In the bait tactic scenario, an email with HTTP: “<img src>” tag will be send to the email address which is under examination. The email with image tag will have some image source at some computer that is supervised by the investigators. After that, when the email is opened, a log entry containing the IP address of recipient is recorded on the HTTP Server hosting the image. This result in the tracking of the sender.
However, in the case, if the recipient is using a proxy server then IP address of the proxy server is recorded. The log on the proxy server can be used for forensic email tracking of sender in digital forensic investigation methods. Due to some reasons, if the proxy server’s log is unavailable then investigators may send the tactic email containing: Embedded Java Applet that runs on receiver’s computer or HTML page with Active X Object. This will extract the IP address of receiver’s computer and email it to the investigators.
The server Investigation is the digital forensics investigation procedures used to examine the copies of delivered emails and server logs to identify the source of an email message. Email removed from the client whose recovery is not possible may be requested from the servers. As most of the servers (Proxy or ISP) store a copy of all emails after their deliveries. Further, logs maintained by the servers can be analyzed to trace the address of the system responsible for making email transaction. The server examination is very useful to identify the source of the email message.
However, copies of email and server logs are stored by the servers only for the limited time period. Moreover, SMTP servers which store data like credit card number and other data pertaining to the owner of the mailbox can be used to identify the person behind an email address.
All the logs maintained by the network devices such as routers, firewalls, and switches are used to investigate the source of an email message in Network Device Investigation. Basically, this type of digital forensic investigation techniques is complex and used only when the logs of servers are not available due to some reasons.
Information associated with the email creators, attached files or documents may be included with the message by the email software that is used by the sender for composing the email. Now, this information may be present in the form of a custom header or MIME content as a Transport Neutral Encapsulation Format (TNEF). Analyzing email for these details in email digital forensics may reveal some important information related to the sender email preferences and the options that could help client-side evidence gathering. This digital forensic investigation methods can reveal PST file names, Mac address, Windows login username etc. of the client computer used to send an email message.
The information related to software which handles the email files at the server can be revealed from the Received header field. Additionally, identification of software handling email at the client can be discovered by using the various set of the header like ‘X-Mailer’. These headers describe applications and their version used at the clients to send the email. This information about the sender’s client computer can be used to help investigators create an effective plan.
This is the most common digital forensic investigation techniques used by the investigators and examiners to identify the culprit in the investigation process. Metadata in an email message is just like the control information. A normal email structure can
In this section, we are going to perform an analysis of the email message header with the help of a table given below. This digital forensic investigation process will help you to understand more the email header data.
|1||X-Apparently-To:||email@example.com via a4.b4.c4.d4; Tue, 30 Nov 2010 07:36:34 -0800|
|2||Return-Path:||< firstname.lastname@example.org >|
|3||Received-SPF:||none (mta1294.mail.mud.bob.com: domain of email@example.com does not designate permitted sender hosts)|
|6||X-Sieve:||CMU Sieve 2.3|
|11||AuthenticationResults:||mta1294.mail.mud.bob.com from=alice.com; domainkeys=neutral (no sig); from=alice.com; dkim=neutral (no sig)|
|12||Received:||from 127.0.0.1 (EHLO mailbox-us-s-7b.tariq.com) (a2.b2.c2.d2) by mta1294.mail.mud.bob.com with SMTP; Tue, 30 Nov 2010 07:36:34 -0800|
|13||Received:||from MTBLAPTOP (unknown [a1.b1.c1.d1]) (Authenticated sender: firstname.lastname@example.org) by mailbox-us-s-7b.tariq.com (Postfix) with ESMTPA id 8F0AE139002E for ; Tue, 30 Nov 2010 15:36:23 +0000 (GMT)|
|15||Subject:||A Sample Mail Message|
|17||Content-Type:||multipart/alternative; charset=”utf-8″; boundary=”KnRl8MgwQQWMSCW6Q5=_HgI2hw Adah5NLY|
|23||Date:||Tue, 28 Nov 2010 21:06:22 +0530|
A sample header set of an email message, which is sent by email@example.com pretending to be firstname.lastname@example.org and sent to email@example.com is shown in the table mentioned above. In this email sender’s address, date, reply, and various other fields have been spoofed. The examination of identities such as domain name, IP address etc. was revealed that servers used in the email sending process have been edited. This header set basically, shows the information present in the various headers of the message. Read the bellow section to know how these digital forensic investigation techniques help in the investigation
Follow the digital forensics investigation procedure given in the above section for perfom the investigation process in simple and fast way.
Now, You Must Be Thinking About:
Many Investigators depend on digital investigation tools to investigate the case and extract the evidence. One of the most versatile and reliable software to carry out the forensic investigation is MailXaminer. This utility permits the forensic examiner to perform in-depth analysis of email with speed, ease, and accuracy. This software is integrated with amazing features which help to examine and analyse the email file in different views. Investigators can effortlessly perform digital forensic investigation techniques such as email header forensic with the hlep of the tool. MailXaminer tool is definitely a smart utility for all the forensics examiners who need to handle and work with their case in a seamless manner.
When it comes to performing the digital forensic investigation then it is not everyone’s cup of tea. The people who deal with Cybercrime or Digital Forensics Cases are specialized as Forensic Examiner/Investigator. Still, to deal with complex cases and get accurate evidence, the forensic investigators have to depend on various digital investigation tools to carry out the investigation process in a seamless manner. The prime aim of the forensics search is to carve out evidence and identify the culprit. Thus, in the above section, we have explained the major digital forensic investigation techniques that helps the investigators to perform the investigation in a trouble-free way and how to analyse header data in email header forensics.