Gmail Email Forensics Analysis – Explore Internet Header

MailXaminer | May 20th, 2020 | Forensics

Gmail is one of the popular and widely utilized web-based email applications used across the globe. With the increasing number of users opting for this email application, the cases of cybercrime associated with Gmail have also been increased tremendously. Hence, there arises a need for Gmail email forensic analysis. Though different techniques can be utilized by the investigating officers to analyze the Gmail mailbox forensically. Here, we will disclose the best ever solution to perform analysis of Gmail emails in a hassle-free way.

The term email forensics refers to a scientific method of collecting legal evidence by examining the source and content of electronic mails, which can then be used as proof in the court of law. However, it should be noted that Gmail is not different from other web-based email programs. Thus, almost the same techniques can be used for the study of forensic analysis of Gmail artifact as well as other email applications.

Possible Ways to Perform Forensic Analysis of Gmail Artifact

There are different ways to perform forensic analysis of different email applications, including Gmail. This includes Email Header Forensics, Bait Tactics, Gmail Server Investigation, Network Device Investigation, etc. However, to perform an in-depth investigation as to navigate every minute email data, it is recommended to avail automated email forensic software.

Gmail Email Forensics Analysis of Internet Header

  • Analysis of Gmail Email without Attachments
    Gmail email internet header forms one important and valuable source of information in the forensic analysis of emails. It consists of actual sender’s address, recipient’s address, the exact date, and time when the email was sent and received. Apart from that, the server paths the message took, IP address, etc. can also be identified. The metadata can also be stored in the server, which can be retrieved later. However, to trace header information without the existence of email message a third-party software is suggested.
  • Gmail Email Forensics Analysis with Attachments
    For Gmail emails with attachments, the internet header also includes detailed information of attachments such as image(s), text files attachments, etc. For example, the metadata content of digital images contains information like picture size, color, image resolution, creation date, and other details. Whereas metadata of text document includes information about the length of the file, author, written time and date, summary, etc. Below-mentioned is the procedure to implement Gmail email forensics analysis manually.

Step 1: Extract Gmail Email Header Information

Follow the steps below to know email header details for the Gmail email message.

Note: The process to find headers of an email in Gmail account can be summarized in the below picture.

  • Open the Gmail email message
  • Now, click on the down-arrow located next to the reply button
  • Choose “Show Original” option from the list to view email header.

Gmail Email Forensics

Step 2: Extracting Information through Gmail Email Header Analysis

Description of each section of the Gmail Email Header are mentioned below:

Gmail Email Forensics Analysis

Delivered-To: This line displays the delivered email address i.e. the destination or receiver’s email address.

Received: This line shows the time the message reached the server of Gmail i.e. the receiver’s /destination ID’s email provider.

X-Received: This line displays the X-Received information. It contains the IP address of the name of server used to send email.

Return-Path: This line displays the Return-Path and shows the address from which the message was sent. Technically it can be said that it contains the address recorded by Mail / Message Delivery Agent (MDA) from MailFrom SMTP command. But the problem is that this information can be spoofed easily by an expert criminal. Hence, it is not considered reliable and taken into account until examined by professional analyzers during Gmail email forensics.

Received: This line in the header shows that the message was received from the sender’s email provider by a Gmail server on a particular date and time i.e. received date and time.

Received-SPF: The line displays Received-SPF, which represents the type of email service used for sending the email message. It also includes an ID that can be utilized to analyze logs from transmitting mail server. This helps in examining the legitimacy of the email whether it was sent from the same service or not. Moreover, if the ID is not available, then there are chances of an email message being spoofed.

From, To, Subject, Date: These lines display date and time when the email was composed, senders email address, destination email ID, and subject respectively. All information displayed here are entered by the sender except the date and time which the email application has been composed.

Message ID: The Message ID is displayed here. It is a globally unique string assigned to a particular email by the sender’s email provider for the identification of an email message. This distinct ID can be used to track the specific email on initiated email server which consist of email logs information.

MIME-Version: It displays the Multi-Purpose Internet Mail Extensions (MIME) message format, which plays a significant role in the examination of emails. Several information and evidences can be extracted for further investigation. Here, in this case, the MIME version of the mail is 1.0.

Content-Type: It displays the Content-Type, which stores information of MIME Header fields. It describes multiple aspects of the body of the message including signatures.

X-Mailer: It displays the X-Mailer header information. It identifies the software handling the email at the client side or sender’s side. The information about the client PC of the sender can then be used by the investigating officers to devise an effective plan to reach the culprit.

Step 3: Correlating Collected Information

While implementing the Gmail email forensic analysis, once the scattered data are achieved. The collected information can be correlated so as to make the collected data useful for the study of forensic analysis of the Gmail artifact. Correlating the gathered information is an important step that forms the basis of an email forensics study. This is because the gathered Gmail email header information yields the entire documents and citations. Nevertheless, the collection is the first step in the investigation process but their correlation is indeed necessary. The yielded records such as date, subject, recipient, sender, IP address, etc. should be interrelated because without interrelation exact information cannot be attained.

A Professional Solution to Perform Gmail Email Forensics Analysis

MailXaminer is one of the trustworthy yet reliable Email Forensic Tool to easily analyze the Gmail email data during the digital forensic investigation. It is 100% error-free software which can be instantly installed on the system for email analysis. The software provides various options to perform the forensic analysis of Gmail artefact in an efficient manner.

Forensics Detection of Gmail Email Evidence Through Different Views

MailXaminer provides an option for forensic analysis of Gmail artefact in different preview modes. This includes “Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF and Attachments.” Each view offer different information corresponding to the email message. With these different views help the forensic experts to find and extract the hidden information from the Gmail data smartly.

  • Mail: This view provides information of email message with its common header data such as “Path, From, To, Cc, Bcc, Subject, Attachment”. This Gmail email forensics view provides the information in user perspective.
  • Hex: This view help the digital forensic expert to examine the email data in the hexadecimal value. It provides offset value, hex code and text value of the email data. Mapping the character in hex code will help to identify whether anyone has ever tried to change the content of the Gmail message.
  • Properties: It provides a short view of the Gmail information such as “Body details, Dates, Message flags, Recipients, Represent sender, Sender details, Subject & Additional information”. This will help to investigate officers to obtain the summarized data to fasten the email analysis process.
  • MIME: This email view provides the inner details of the email messages and also include the textual or non-textual attachment & header information.
  • Email Hop: It will help to analyze the path of the email message. It shows the information such as router, gateway, and switches through which the email data has been passed. This will help to clearly understand the path between the email source and destination.
  • Message Header: This view of the software provides header related information of the email data such as “Sender-Receiver Address, Message-ID, Feedback ID, MIME-Version, Content-Type, Cc, Bcc, etc.”
  • HTML: This will provide the HTML script view of email data. This will help the investigating officer to examine the Gmail email in different browsers. It will also help identify if any changes have occurred in the data.
  • RTF: This view helps to analyze the font and formatting of the email evidence if it is available within the email. This view helps to recover the email evidence by comparing it with the original email.
  • Attachment: This view provides the list of attachments available within the respective email message. Also, it allows to preview & analyze the attachment in detail.

Multiple Keyword-Search Options for Forensic Gmail Artefact Analysis

The software facilitates an amazing search option which helps the investigating officers to instantly fetch the results out of the bulk Gmail emails.

This includes General Search, Proximity Search, Regular Expression, Stem Search, Fuzzy Search and Wildcard Search. While availing any of these search operations, one can also make the best use of logical operators like “AND, OR and NOT”.

Find the User’s Relation Using Analytics Functionality

Using analytics feature, one can track the frequency of words or emails which are connected between each email user. This will help the investigating officers to efficiently find the relationship between the users. The various options fall under analytics option includes Word Cloud, Timeline Analysis, Link Analysis and Entity Analysis.

  • Link Analysis: It enables the investigating officer to detect Gmail email user relationship. It provides the connection between particular users for the specified keywords.
  • Timeline Analysis: This helps in forensic analysis of emails and to find the relation between the users & the frequency of emails on the basis of time. It provides the result in Year, Month and Date with a graphical representation.
  • Word Cloud: It renders a pictorial representation of the frequency of words for a particular email message by size. If the size of the word is small, it denotes the frequency of the word is minimum. Whereas, bigger the size of the word denotes that the frequency of word is maximum.
  • Entity Analysis: It provides the frequency of words for location-oriented words such as country, state, place, etc. within the email message.

Advanced Geolocation Image Mapping Option

MailXaminer tool provides the geolocation image mapping functionality to locate the exact location from where the image was taken. It will extract the longitude, latitude and altitude values from the image containing GeoTag within it and automatically provide the exact location.

Concluding Thoughts

This blog elaborates on the different procedures which are used to perform Gmail email forensic analysis. However, to navigate the evidence smartly and also to make it admissible in the court of law, it is suggested to opt third-party software. For that, MailXaminer is the best solution, which allows performing in-depth email analysis while maintaining high standards of forensic integrity.