Hotmail Forensics – An Overview

MailXaminer | December 15th, 2014 | Forensics

Overall Investigation of Hotmail mailbox components for analyzing hidden evidence is referred to as Hotmail Forensics Analysis. One of the most important elements that help investigators in cyber findings is “Email Header Information”. Apart from this Hotmail email forensics analyzing Server logs, the application via which email has been sent etc. are some of the tactics that play a vital role in the forensic investigation of Hotmail email view. Hotmail email analyzer will help to analyse message header information and mailbox data effortlessly. In this blog, we are going to see how to perform Hotmail forensic manually and with the help of email analyzer tool.

Analyze Hotmail Emails from Forensics Viewpoint

In this section, parameters associated with Hotmail email analysis and investigation have been discussed. Since hotmail email forensics is a vast arena, some of the majorly used techniques have been elaborated to understand its widespread properties.

Analyzing Hotmail Email HeaderInformation

From Hotmail header information, the investigation authorities may be able to identify the Hotmail IP address that can further be used to determine sender’s details. In some cases, masking, redirecting and spoofing techniques are used by the sender to prevent its accurate information.

Email headers are categorized into two main sections, they are:

Envelop Header: This is comparatively more important in Hotmail forensics as it is difficult to spoof the information that comes under this section. This information contains Hotmail header message-ID, Sender’s Mail Server information as well as X-Message Info fields.

Message Header: This Hotmail email header information comprised under this section is generally user-defined and can be spoofed easily. This section contains fields such as To, From, Subject, Return-Path, Content-Type, etc.

In Hotmail, now known as, Hotmail email header forensics can be accessed by navigating through the following procedure:

  1. On webpage, login to your Hotmail account and open message list.
  2. Right click the message and then select “View Message Source” option.

This will navigate to the source code page of email message which will look like the following image.


Note: Due to the lengthy text, the code from header section has been copied in the Notepad for clarity purpose.

  • X-Original Arrival Time:

The information mentioned under this section is not considered standard header content as it may not be important for delivery of email messages. How these details helps in investigation, depends upon various techniques adopted by the authorities. This section might reveal the information about Provider ISP.

  • Return- Path:

This Hotmail email header information is normally configured by the user itself in the email client and may or may not be fully reliable. But from the forensics point of view, it is important to investigate all possible information as it might help to identify hidden evidence in a way or other.

  • Received:

In the source code, it can clearly be seen that the ‘Received’ section has been repeated thrice. Investigators study these parameters from bottom to top to view forensically during Hotmail email forensics. It shows the transaction path through which email message has been traversed.


The last ‘Received’ value is considered first in the queue of Hotmail forensics analysis. This contains information about the sender computer with IP address as well as the details of the sender’s Mail Server. The provided Hotmail email header IP Address is further analyzed to know the location of the email sender.

Note: The date and time information mentioned in this section is sent off by the Email Sever and might not consider corresponding to the time when the email is sent by the sender.

  • The second ‘Received’ or the subsequent same field demonstrate information about the path through which the specified email message has been traveled.
  • The first yet the least from investigator’s point of view will show the IP address for the target Server or the recipient.
  • MIME-Version:

This section of the header text shows that the email is MIME (Multi-Purpose Internet Mail Extensions) formatted. It ensures that the sent email message is compliant to RFC 1341 standard formatting. MIME displays a registration policy that uses IANA (Internet Assigned Numbers Authority) as a registry for all associated standards and values.

  • DKIM-Signature: DomainKeys Identified Mail

It is a technique to validate the authenticity of any email message for detecting email spoofing. If an email is sent off by an organization with DKIM signature assigned on the mail, it denotes that the message is not a SPAM and the signing authority is directly responsible to it.

  • X-Message-Info:

Likewise ‘X-Original Arrival Time’, this field also comes under ‘X-headers’ that falls under the category of nonstandard headers. However, this might explore information about (ISP) Internet Service Provider, so investigators do not take this section lightly during Hotmail email forensics investigation and analyse by considering all associated factors.

  • Authentication-Results: (SPF)

If an email is sent using a domain, it is the responsibility of the SPF (Server Policy Framework) to check if the specified Mail Server is authorized to send email messages to that particular domain. The possible result set could be ‘PASS’, ‘FAIL’ or ‘NONE’. In Hotmail message header section, if an email message is delivered successfully to the recipient, this can be read as:

However, in case, if the domain is not registered under that particular Mail Server, this value may display as ‘NONE’. And if the sender’s Mail Server fails to deliver message to the recipient, the value might return as ‘FAIL’.

Server Investigation in Hotmail Email forensics

This is referred to as the detailed analysis of Server logs as well as the delivered email messages. The emails purged from senders or recipients especially those that are hard to recover at the same; can be requested from Hotmail Server or Internet Service Provider (ISP) as the replica is stored by them for each delivered email message.

Thereafter, the logs can be analyzed for tracking the original address of the sender computer. Here, the limitation is that the replica for email logs and the messages are maintained by the Server for stipulated period of time and this might proved to be an obstacle for the investigators during Hotmail forensics.

Software Identifiers

The Hotmail may contain information about the sender of the email message and this can be revealed from the sent message(s) folder, the attached documents or the enclosed attachments. This information might have been accumulated in the custom header components or as MIME content in TNEF (Transport Neutral Encapsulation Format).

Forensic Analysis of Hotmail mailboxes may result in gathering vital information and details about the sender. This investigation might reveal the information about Windows’ login username, IP Address, etc. for the client machine that is been used for sending the email message.

Hotmail Forensics With Email Investigation Tool

MailXaminer is a dependable forensic Hotmail email analyzer which help the investigator to access and analyse the Hotmail data directly from the web email client. This feature of the forensic software simplifies the investigation process. To perform Hotmail email forensics with the help of the tool follow the below process.

Add Hotmail email data through Add Evidence option of the tool for analysing the data. Select the Hotmail option from the Web email section and provide “User Name & Password” for direct access to the email data.

Note: It allow to add account as bulk through the CSV file containing Login details of Multiple account. It also providing the date filter access the email data in between the particular date.

The Hotmail email analyzer software allows displaying the list of email data folder ways selectively or recursively. It displays the information such as “Tag, Subject, From, To, Sent & Received date, MD5, SHA1, Unread”. This view of the data helps to obtain brief details of an email message without opening it.

Tool allow examining the Hotmail email data in different ways such as “Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments”. Each of the view provides all related information of the Hotmail email data.

Email Hop: It will help to find and analyse the path through which the email traveled. It will shows router, gateway and switches through which email data passed. It also provides the graphical view of email path to easily find out the hop server. Through the email hop view in the Hotmail email analyzer tool, the investigator can easily examine the path through the email data traveled in between the sender and receiver and it help to simplify the process Hotmail email forensics.

  • Message Header View of the MailXaminer help to examine the Hotmail email header information.
  • Mail: It will shows the email body message with Subject, Tag, attachment, From & To address in user perspective for the analysis of email message
  • Hex: This will helps to examine the email data in Hexadecimal value. The character mapping in the hex value will help to identify the changes done on the original data.
  • Properties: This view helps the investiator to obtain the summery of email data which provides the information such as “Body details, Message flags, Dates, Recipients, Sender details, subject & Additional info”
  • HTML: It provides the HTML script view of the email message. This view help the investigator to analyse the data through different browsers during Hotmail email forensics.
  • RTF: This help to examine the font and formatting of email message if it is available within it.
  • Attachments: It will provide the list of attachments available within the email and help to easily preview those attachments.


Thorough the analysis of all above mentioned components following well defined criteria can help investigators in Hotmail email forensics. However, spoofed email headers; messages sent from remote locations such as airports, libraries, internet cafes; delayed delivery of email messages are some of the issues that investigators must be aware of as they might mislead the officials while investigating evidence. With the help of Hotmail email analyzer investigator can easily extract and analyse Hotmail data.