Top 6 Digital Forensic Investigation Techniques For Effortless Investigation

MailXaminer | February 19th, 2019 | Forensics

In this modern era, email emerges as the most widely used method to communicate and transfer the data. The rapid growth in email communication also leads to the expeditious growth in the crimes through email communication. Due to this, security is the major issue phasing in this area. In this blog, we are going to discuss top Digital forensic investigation techniques that help the investigator to examine and identify the crimes occurred through the email. The Digital investigation tools help the investigators in email header forensics. That mainly aims to discover the history of a message and the identity of all entities associated with the message during the investigation. Moreover, this study includes investigation of metadata, port scanning etc. for authorship attribution and identification of email scams. Now a days email crimes are occurred in various forms, this makes the detection of these crimes into a very difficult task during the investigation process.

Do You Know Why Digital Forensic Investigation is Important?

Nowadays, Cybercrime is occurring very frequently. Basically, Cybercriminals spoof email messages to accomplish illegal activities via email system and remain underground to save themselves from any possible legal during an email forensics investigation. The illegitimate activities include:

  • Abuses like spamming, phishing, cyberbullying, child pornography, racial vilification etc.
  • Misuse by transmission of virus, worms, Trojan horses, and other malicious programs with an intent to spread them over the Internet etc.

All such use of email can lead to various technical issues like misuse of storage space, wastage of computational resources, and network conjunction. Follow these digital forensic investigation process in the bellow section to deal with digital crimes

Let Us Check Out Some Important Digital Forensic Investigation Techniques

Now, you must be aware of the digital Forensics concept and its importance. Moving further, in this section, we are going to discuss some digital forensic investigation techniques used for detecting email crimes.

  • Bait Tactics

This digital forensic investigation process aim is to extract and copy the IP address of the culprit. In the bait tactic scenario, an email with HTTP: “<img src>” tag will be send to the email address which is under examination. The email with image tag will have some image source at some computer that is supervised by the investigators. After that, when the email is opened, a log entry containing the IP address of recipient is recorded on the HTTP Server hosting the image. This result in the tracking of the sender.

However, in the case, if the recipient is using a proxy server then IP address of the proxy server is recorded. The log on the proxy server can be used for forensic email tracking of sender in digital forensic investigation methods. Due to some reasons, if the proxy server’s log is unavailable then investigators may send the tactic email containing: Embedded Java Applet that runs on receiver’s computer or HTML page with Active X Object. This will extract the IP address of receiver’s computer and email it to the investigators.

  • Server Investigation

The server Investigation is the digital forensics investigation procedures used to examine the copies of delivered emails and server logs to identify the source of an email message. Email removed from the client whose recovery is not possible may be requested from the servers. As most of the servers (Proxy or ISP) store a copy of all emails after their deliveries. Further, logs maintained by the servers can be analyzed to trace the address of the system responsible for making email transaction. The server examination is very useful to identify the source of the email message.

However, copies of email and server logs are stored by the servers only for the limited time period. Moreover, SMTP servers which store data like credit card number and other data pertaining to the owner of the mailbox can be used to identify the person behind an email address.

  • Network Device Investigation

All the logs maintained by the network devices such as routers, firewalls, and switches are used to investigate the source of an email message in Network Device Investigation. Basically, this type of digital forensic investigation techniques is complex and used only when the logs of servers are not available due to some reasons.

  • Software Embedded Identifiers

Information associated with the email creators, attached files or documents may be included with the message by the email software that is used by the sender for composing the email. Now, this information may be present in the form of a custom header or MIME content as a Transport Neutral Encapsulation Format (TNEF). Analyzing email for these details in email digital forensics may reveal some important information related to the sender email preferences and the options that could help client-side evidence gathering. This digital forensic investigation methods can reveal PST file names, Mac address, Windows login username etc. of the client computer used to send an email message.

  • Sender Mailer Fingerprints

The information related to software which handles the email files at the server can be revealed from the Received header field. Additionally, identification of software handling email at the client can be discovered by using the various set of the header like ‘X-Mailer’. These headers describe applications and their version used at the clients to send the email. This information about the sender’s client computer can be used to help investigators create an effective plan.

  • Email Header Forensics

This is the most common digital forensic investigation techniques used by the investigators and examiners to identify the culprit in the investigation process. Metadata in an email message is just like the control information. A normal email structure can be define as an envelop and header with data. Envelop means body content of the email with attachments. And the headers of the message body contain information related to sender or the path along the message has travelled etc. Sometimes, metadata information is spoofed criminals to conceal the identity of the sender. Thus, a detailed analysis of header data during the email header forensics help the investigator to crave evidences.

How to Examine Email Message Header Data

In this section, we are going to perform an analysis of the email message header with the help of a table given below. This digital forensic investigation process will help you to understand more the email header data.

S No. Header Value
1 X-Apparently-To: bob@bob.com via a4.b4.c4.d4; Tue, 30 Nov 2010 07:36:34 -0800
2 Return-Path: < alice@alice.com >
3 Received-SPF: none (mta1294.mail.mud.bob.com: domain of alice@alice.com does not designate permitted sender hosts)
4 X-Spam-Ratio: 3.2
5 X-Originating-IP [a2.b2.c2.d2]
6 X-Sieve: CMU Sieve 2.3
7 X-Spam-Charsets: Plain=’utf-8’ html=’utf-8’
8 X-Resolved-To: bob@bob.com
9 X-Delivered-To: bob@bob.com
10 X-Mail-From: alice@alice.com
11 AuthenticationResults: mta1294.mail.mud.bob.com from=alice.com; domainkeys=neutral (no sig); from=alice.com; dkim=neutral (no sig)
12 Received: from 127.0.0.1 (EHLO mailbox-us-s-7b.tariq.com) (a2.b2.c2.d2) by mta1294.mail.mud.bob.com with SMTP; Tue, 30 Nov 2010 07:36:34 -0800
13 Received: from MTBLAPTOP (unknown [a1.b1.c1.d1]) (Authenticated sender: tariq@tariq.com) by mailbox-us-s-7b.tariq.com (Postfix) with ESMTPA id 8F0AE139002E for ; Tue, 30 Nov 2010 15:36:23 +0000 (GMT)
14 From: “Allice” <Alice@a.com>
15 Subject: A Sample Mail Message
16 To: “Bob Jones”<bob@bob.com>
17 Content-Type: multipart/alternative; charset=”utf-8″; boundary=”KnRl8MgwQQWMSCW6Q5=_HgI2hw Adah5NLY
18 MIME-Version: 1.0
19 Content-TransferEncoding: 8bit
10 Content-Length: 511
21 Reply-To: “Smith” <smith@smith.com>
22 Organization: Alices Organization
23 Date: Tue, 28 Nov 2010 21:06:22 +0530
24 Return-Receipt To: smith@smith.com
25 DispositionNotification-To jones@jones.com
26 Message-Id: <20101130153623.8F0AE139002E@mailbox-us-s7b.tariq.com>

A sample header set of an email message, which is sent by tariq@traiq.com pretending to be alice@alice.com and sent to bob@bob.com is shown in the table mentioned above. In this email sender’s address, date, reply, and various other fields have been spoofed. The examination of identities such as domain name, IP address etc. was revealed that servers used in the email sending process have been edited. This header set basically, shows the information present in the various headers of the message. Read the bellow section to know how these digital forensic investigation techniques help in the investigation

  • Header X- Apparently-To: is relevant when the email has been sent as a BCC or to recipients of some mailing list. In most of the cases, this field contains the address as in To field. When the email has been sent to a BCC recipient or mailing list then X-Apparently-To is different from To field. Thus, X-Apparently-To always shows the email address of recipient irrespective of the mail has been using TO, BCC, CC addresses or by using some mailing list.
  • Received -SPF: It is the value which specifies that the mail has come from a domain which either does have an SPF record or is not yet a designated permitted sender.
  • Return- Path Header: is the email address of the mailbox specified by the sender in the MailForm command. If no authentication mechanism is in place at the sending server then this address can also be spoofed.
  • X-Spam-Ratio: MUA is contained in X-Spam-Ratio field or the spam score is calculated by the spam filtering software of the receiving server. Email is classified as spam when the ratio exceeds a certain pre-defined threshold.
  • X- Originating-IP: This reflects the IP address of the last MTA of the sending SMTP server, which has delivered email to the server of bob@bob.com.
  • X- Sieve Header: It defines the name and version of the message filtering system. Basically, it refers to the scripting language used to specify conditions for message filtering and handling.
  • X-Spam-Charsets: This field specifies the character set used for filtering the messages.
  • X- Resolved-To: It is the email address of the mailbox to which the mail has been delivered by MDA of bob’s server.
  • X- Mail- From Header: The field specifies the email address of the mailbox specified by the sender in the MailFrom command.
  • Authentication-Results Header: It shows that mta1294.mail.mud.bob.com received mail from alice.com domain which does not have DomainKeys signature and DKIM signature.
  • Received Header Field (12): This field contains the trace information which indicates 127.0.0.1 as the IP address of the machine that sends the message.
  • Received Header Field (13): It represents the trace information indicating MTBLAPTOP as the names of the machine that sends the message.
  • From, Subject and To: These fields reflect the email address of the author, message subject and the email address of the recipient.
  • Content-Type, MIME-Version, Content-Transfer-Encoding, and Content-Length: The MIME header describes the type of MIME content, transfer encoding, its version, and length.
  • Reply-To: It is an arbitrary address that is associated with some random user who may not be related to the sender in any way.
  • Organization Header: This field is an information field that shows the sender’s organization.
  • Date Header: It shows the date on which email was composed and submitted for delivery.
  • Return-Receipt-To: It indicates the email address, MSA, MTA and MDS which is used for sending delivery notifications.
  • Disposition-Notification-To: This field reflects email address and MUA used when submitting a message indicating that the message has been displayed.
  • Message ID: It is formed when a domain name is appended with a unique number by sending server.

Follow the digital forensics investigation procedure given in the above section for perfom the investigation process in simple and fast way.

Now, You Must Be Thinking About:

Best Digital Forensic Investigation Software: Dig In Here!

Many Investigators depend on digital investigation tools to investigate the case and extract the evidence. One of the most versatile and reliable software to carry out the forensic investigation is MailXaminer. This utility permits the forensic examiner to perform in-depth analysis of email with speed, ease, and accuracy. This software is integrated with amazing features which help to examine and analyse the email file in different views. Investigators can effortlessly perform digital forensic investigation techniques such as email header forensic with the hlep of the tool. MailXaminer tool is definitely a smart utility for all the forensics examiners who need to handle and work with their case in a seamless manner.

Email Forensics is Not Less Than A Deep Blue Sea!

When it comes to performing the digital forensic investigation then it is not everyone’s cup of tea. The people who deal with Cybercrime or Digital Forensics Cases are specialized as Forensic Examiner/Investigator. Still, to deal with complex cases and get accurate evidence, the forensic investigators have to depend on various digital investigation tools to carry out the investigation process in a seamless manner. The prime aim of the forensics search is to carve out evidence and identify the culprit. Thus, in the above section, we have explained the major digital forensic investigation techniques that helps the investigators to perform the investigation in a trouble-free way and how to analyse header data in email header forensics.