Summary: This blog focuses on the importance of email header to examine emails along with the techniques that help to swiftly analyze Hotmail email headers. The different elements of the email headers to execute the email investigation thoroughly has been well-explained here.
Overview of Hotmail
Windows Live Hotmail, formerly known as Hotmail is a free web-based email application. With the help of an internet connection, one can easily access the emails from any web browser. In the year 2012, the Windows Live Hotmail service was renamed Outlook.com. Outlook.com offers numerous advanced features to its end-users such as unlimited storage for free, Skype connections, social media services like Facebook, Twitter, Google, etc.
Hotmail as a Weapon to Initiate Cybercrime
There has been a rapid increase in the number of email attacks that are carried out by cybercriminals using Hotmail/Outlook.com account. The overall investigation of Hotmail mailbox components for analyzing hidden evidence is referred to as Hotmail Forensics Analysis.
One of the most important elements that help investigators in cyber findings is “Email Header Information”. Additionally, Hotmail email forensics includes analyzing server logs, application through which email has been sent, etc. These are some of the tactics that play a vital role in the forensic investigation of Hotmail application.
So, let’s get started by knowing the best approaches to perform Hotmail forensics!
Analyzing Hotmail Email Header Information
From Hotmail header information, the investigation officers may be able to identify the Hotmail IP address that can further be used to determine the sender’s details. In some cases, masking, redirecting, and spoofing techniques are used by the sender to prevent accurate information.
Email headers are categorized into two main sections, they are:
- Envelop Header: This is comparatively more important in Hotmail forensics as it is difficult to spoof the information that comes under this section. This information contains Hotmail header message-ID, sender’s mail server information as well as X-Message information fields.
- Message Header: The Hotmail email header information comprised under this section is generally user-defined and can be spoofed easily. This section contains fields such as To, From, Subject, Return-Path, Content-Type, etc.
Hotmail, which is now known as Outlook.com, the header information from the emails can be accessed by following the upcoming procedure:
- On the webpage, login to your Hotmail account and open the message list.
- Right-click the message and then select “View Message Source” option.
This will navigate to the source code page of the email message which looks like the following image.
Below mentioned are some of the important attributes of the email header that helps to find potential information while investigating the case.
- Return- Path:
This attribute helps to investigate officers to identify hidden evidence. This element of the Return-Path is similar to the email address of the sender. It provides the address i.e., “Reply to” in the front end for replying.
In the source code, it can be seen clearly that the ‘Received’ section has been repeated thrice. Investigators study these parameters from bottom to top to view them forensically during Hotmail email forensics. It shows the transaction path through which the email message has been traversed.
The last ‘Received’ value is considered first in the queue of Hotmail forensics analysis. This contains information about the sender’s computer with IP address as well as the details of the sender’s Mail Server. The provided Hotmail email header IP Address is further analyzed to know the location of the email sender.
This section of the header text shows that the email is MIME (Multi-Purpose Internet Mail Extensions) formatted. It ensures that the sent email message is compliant with RFC 1341 standard formatting.
- DKIM-Signature: DomainKeys Identified Mail
It is a technique to validate the authenticity of an email message for detecting email spoofing. If an email is sent by an organization with a DKIM signature assigned on the mail. It denotes that the message is not spam and the signing authority is directly responsible for it.
This section helps to find information about (ISP) Internet Service Provider. As a result, investigators do not take this section lightly during Hotmail email forensics investigation and analyze it by considering all associated factors.
- Authentication-Results: (SPF)
If an email is sent using a domain, it is the responsibility of the SPF (Server Policy Framework) to check whether the specified Mail Server is authorized to send email messages. The possible result set could be ‘PASS’, ‘FAIL’ or ‘NONE’. In the Hotmail message header section, if an email message is delivered successfully to the recipient, this can be read as “PASS”.
However, in case, if the domain is not registered under that particular Mail server, the value may display as ‘NONE’. Additionally, if the sender’s Mail server fails to deliver a message to the recipient, the value might return as ‘FAIL’.
Server Investigation in Hotmail Email forensics
This is referred to as the detailed analysis of server logs and the delivered email messages. The emails that are deleted from senders or recipient’s end can be requested from Hotmail Server or Internet Service Provider (ISP). This is because the replica is stored by them for each delivered email message.
Thereafter, the logs can be analyzed by tracking the original address of the sender’s computer. Here, the limitation is that the replica for email logs and the messages are maintained by the server for a stipulated period of time. Because of this, it may create an obstacle for the investigators while performing Hotmail forensics.
Instantly Perform Hotmail Forensics With Email Investigation Tool
With the help of MailXaminer Email Examiner Software, the investigators can easily access and analyze the Hotmail data in a precise way. All you need is the credentials of the suspected Hotmail account in order to thoroughly investigate the emails.
To perform Hotmail email forensics with the help of the tool follow the below-mentioned steps:
Step 1: After the software is launched, click on Add Evidence button >> Web >> Hotmail >> Input the Credentials
Note: It allows to add multiple accounts as bulk through the CSV file, which contains the login credentials. It also provides a date filter option to access the email data from the specified date.
Step 2: The Hotmail email analyzer software displays a list of emails. It displays information such as “Tag, Subject, From, To, Sent & Received date, MD5, SHA1, etc.” This view of the data helps to obtain brief details of an email message without opening it
Step 3: The software also provides the option to precisely preview the emails using 7+ preview options. For that, right-click the email message and choose the Preview option. The different view mode includes Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF
- Mail: It will show the email body message with Subject, Tag, attachment, From & To address in user perspective for the analysis of email message
- Hex: This will help to examine the email data in Hexadecimal value. The character mapping in the hex value will help to identify the changes done in the original data.
- Properties: This view helps the investigator to obtain the summary of email data which provides information such as “Body details, Message flags, Dates, Recipients, Sender details, Subject & Additional information”.
- Message Header View: It enables forensic experts to examine the Hotmail email header information.
Email Hop: It will help to find and analyze the path through which the email has been traversed. It will show the router, gateway, and switches through which email data has passed.
- HTML: It provides the HTML script view of the email message. This view helps the investigator to examine the data through different browsers during Hotmail email forensics.
- RTF: If the email is composed using RTF editor, then the tool lets investigators preview the emails precisely using this view. Moreover, it consists of different encoding types, so this view also helps to know the encoding type of the RTF email.
- Attachments: It will provide the list of attachments available within the email and help to easily preview those attachments.
- Word Cloud: It delivers a pictorial representation of the frequency of words used within the email message.
Step 4: To convert the Hotmail emails, firstly you need to select the Emails >> Right-click >> choose Export option as shown in the below screenshot
Step 5: Under Export Options, investigators can avail of multiple export file types while converting Hotmail emails to the desired format. The various export file formats offered by the tool include EML, HTML, PST, PDF
Step 6: Finally, the exported emails will be saved at the destined location in the chosen file format.
Investigating officer deals with several challenges while performing Hotmail forensics. Now, by understanding the various components of the email header, it becomes easy to identify hidden evidence. This blog has disclosed various techniques to investigate Hotmail emails using the versatile email forensics software. The utility provides full-fledged features that help to swiftly examine the emails in no time.