Hotmail Forensics – An Overview

MailXaminer | December 15th, 2014 | Forensics

Overall Investigation of Hotmail mailbox components for analyzing hidden evidences is referred to as Hotmail Forensics Analysis. One of the most important elements that help investigators in cyber findings is “Email Header”. Apart from this analyzing Server logs, the application via which the email has been sent etc. are some of the tactics that plays a vital role in forensic investigation of Hotmail email view.

Analyze Hotmail Emails from Forensics Viewpoint

In this section, parameters associated with Hotmail email analysis and investigation have been discussed. Since hotmail email forensics is a vast arena, some of the majorly used techniques have been elaborated to understand its widespread properties.

Analyzing Hotmail Email Header

From Email Header, the investigation authorities may be able to identify the IP address that can further be used to determine sender’s details. In some cases, masking, redirecting and spoofing techniques are used by the sender to prevent its accurate information.

Email headers are categorized into two main sections, they are:

Envelop Header: This is comparatively more important as it is difficult to spoof the information that comes under this section. This information contains Sender’s Mail Server information, Message-ID as well as X-Message Info fields.

Message Header: The information comprised under this section is generally user-defined and can be spoofed easily. This section contains fields such as To, From, Subject, Return-Path, Content-Type, etc.

In Hotmail, now known as, the email header forensics can be accessed by navigating through the following procedure:

  1. On webpage, login to your Hotmail account and open message list.
  2. Right click the message and then select “View Message Source” option.

This will navigate to the source code page of the email message which will look like the following image.


Note: Due to the lengthy text, the code from header section has been copied in the Notepad for clarity purpose.

  • X-Original Arrival Time:

The information mentioned under this section is not considered standard header content as it may not be important for delivery of email messages. How these details helps in investigation, depends upon various techniques adopted by the authorities. This section might reveal the information about Provider ISP.

  • Return- Path:

This information is normally configured by user itself in the email client and may or may not be fully reliable. But from forensics point of view, it is important to investigate all possible information as it might help identifying hidden evidences in a way or other.

  • Received:

In the source code, it can clearly be seen that the ‘Received’ section has been repeated thrice. Investigators study these parameters from bottom to top to view hotmail emails forensically. It shows the transaction path through which the email message has been traversed.


  • The last ‘Received’ value is considered first in the queue of hotmail forensics analysis. This contains information about the sender computer with IP address as well as the details of the sender’s Mail Server. The provided IP Address is further analyzed to know the location of the sender of the email.

Note: The date and time information mentioned in this section is sent off by the Email Sever and might not consider corresponding to the time when the email is sent by the sender.

  • The second ‘Received’ or the subsequent same field demonstrate information about the path through which the specified email message has been travelled.
  • The first yet the least from investigator’s point of view will show the IP address for the target Server or the recipient.
  • MIME-Version:

This section of the header text shows that the email is MIME (Multi-Purpose Internet Mail Extensions) formatted. It ensures that the sent email message is compliant to RFC 1341 standard formatting. MIME displays a registration policy that uses IANA (Internet Assigned Numbers Authority) as a registry for all associated standards and values.

  • DKIM-Signature: DomainKeys Identified Mail

It is a technique to validate the authenticity of any email message for detecting email spoofing. If an email is sent off by an organization with DKIM signature assigned on the mail, it denotes that the message is not a SPAM and the signing authority is directly responsible to it.

  • X-Message-Info:

Likewise ‘X-Original Arrival Time’, this field also comes under ‘X-headers’ that falls under the category of nonstandard headers. However, this might explores information about (ISP) Internet Service Provider, so investigators do not take this section lightly and thorough investigation is done considering all associated factors.

  • Authentication-Results: (SPF)

If an email is sent using a domain, it is the responsibility of the SPF (Server Policy Framework) to check if the specified Mail Server is authorized to send email messages to that particular domain. The possible result set could be ‘PASS’, ‘FAIL’ or ‘NONE’. In Hotmail message header section, if the email message is delivered successfully to the recipient, this can be read as:

However, in case, if the domain is not registered under that particular Mail Server, this value may display as ‘NONE’. And if the sender’s Mail Server fails to deliver message to the recipient, the value might return as ‘FAIL’.

Server Investigation

This is referred to as the detailed analysis of Server logs as well as the delivered email messages. The emails purged from senders or recipients specially those that are hard to recover at the same; can be requested from Hotmail Server or Internet Service Provider (ISP) as the replica is stored by them for each delivered email message.

Thereafter, the logs can be analyzed for tracking the original address of the sender computer. Here, the limitation is that the replica for email logs and the messages are maintained by the Server for stipulated period of time and this might proved to be an obstacle for the forensic investigators.

Software Identifiers

The Hotmail may contain information about the sender of the email message and this can be revealed from the sent message(s) folder, the attached documents or the enclosed attachments. This information might have been accumulated in the custom header components or as MIME content in TNEF (Transport Neutral Encapsulation Format).

Forensic Analysis of Hotmail mailboxes may result in gathering vital information and details about the sender. This investigation might reveal the information about Windows’ logon username, IP Address, etc. for the client machine that is been used for sending the email message.


Thorough analysis of all above mentioned components following well defined criteria can help investigators in Hotmail Forensics of emails. However, spoofed email headers; messages sent from remote locations such as airports, libraries, internet cafes; delayed delivery of email messages are some of the issues that investigators must be aware of as they might mislead the officials while investigating evidences.