Overall Investigation of Hotmail mailbox components for analyzing hidden evidence is referred to as Hotmail Forensics Analysis. One of the most important elements that help investigators in cyber findings is “Email Header Information”. Apart from this Hotmail email forensics analyzing Server logs, the application via which email has been sent etc. are some of the tactics that play a vital role in the forensic investigation of Hotmail email view. Hotmail email analyzer will help to
Analyze Hotmail Emails from Forensics Viewpoint
In this section, parameters associated with Hotmail email analysis and investigation have been discussed. Since
From Hotmail header information, the investigation authorities may be able to identify the Hotmail IP address that can further be used to determine sender’s details. In some cases, masking, redirecting and spoofing techniques are used by the sender to prevent its accurate information.
Email headers are categorized into two main sections, they are:
Envelop Header: This is comparatively more important in Hotmail forensics as it is difficult to spoof the information that comes under this section. This information contains Hotmail header message-ID, Sender’s Mail Server information as well as X-Message Info fields.
Message Header: This Hotmail email header information comprised under this section is generally user-defined and can be spoofed easily. This section contains fields such as To, From, Subject, Return-Path, Content-Type, etc.
In Hotmail, now known as Outlook.com, Hotmail email header forensics can be accessed by navigating through the following procedure:
This will navigate to the source code page of email message which will look like the following image.
Note: Due to the lengthy text, the code from header section has been copied in the Notepad for clarity purpose.
The information mentioned under this section is not considered standard header content as it may not be important for delivery of email messages. How these details helps in investigation, depends upon various techniques adopted by the authorities. This section might reveal the information about Provider ISP.
This Hotmail email header information is normally configured by the user itself in the email client and may or may not be fully reliable. But from the
In the source code, it can clearly be seen that the ‘Received’ section has been repeated thrice. Investigators study these parameters from bottom to top to view forensically during Hotmail email forensics. It shows the transaction path through which email message has been traversed.
The last ‘Received’ value is considered first in the queue of Hotmail forensics analysis. This contains information about the sender computer with IP address as well as the details of the sender’s Mail Server. The provided Hotmail email header IP Address is further analyzed to know the location of the email sender.
Note: The date and time information mentioned in this section is sent off by the Email Sever and might not consider corresponding to the time when the email is sent by the sender.
This section of the header text shows that the email is MIME (Multi-Purpose Internet Mail Extensions) formatted. It ensures that the sent email message is compliant to RFC 1341 standard formatting. MIME displays a registration policy that uses IANA (Internet Assigned Numbers Authority) as a registry for all associated standards and values.
It is a technique to validate the authenticity of any email message for detecting email spoofing. If an email is sent off by an organization with DKIM signature assigned on the mail, it denotes that the message is not a SPAM and the signing authority is directly responsible to it.
Likewise ‘X-Original Arrival Time’, this field also comes under ‘X-headers’ that falls under the category of nonstandard headers. However, this might explore information about (ISP) Internet Service Provider, so investigators do not take this section lightly during Hotmail email forensics investigation and
If an email is sent using a domain, it is the responsibility of the SPF (Server Policy Framework) to check if the specified Mail Server is authorized to send email messages to that particular domain. The possible result set could be ‘PASS’, ‘FAIL’ or ‘NONE’. In Hotmail message header section, if an email message is delivered successfully to the recipient, this can be read as:
However, in case, if the domain is not registered under that particular Mail Server, this value may display as ‘NONE’. And if the sender’s Mail Server fails to deliver message to the recipient, the value might return as ‘FAIL’.
This is referred to as the detailed analysis of Server logs as well as the delivered email messages. The emails purged from senders or recipients e
Thereafter, the logs can be analyzed for tracking the original address of the sender computer. Here, the limitation is that the replica for email logs and the messages are maintained by the Server for stipulated period of time and this might proved to be an obstacle for the investigators during Hotmail forensics.
The Hotmail may contain information about the sender of the email message and this can be revealed from the sent message(s) folder, the attached documents or the enclosed attachments. This information might have been accumulated in the custom header components or as MIME content in TNEF (Transport Neutral Encapsulation Format).
Forensic Analysis of Hotmail mailboxes may result in gathering vital information and details about the sender. This investigation might reveal the information about Windows’ login username, IP Address, etc. for the client machine that is been used for sending the email message.
MailXaminer is a dependable forensic Hotmail email analyzer which
Add Hotmail email data through Add Evidence option of the tool for
The Hotmail email analyzer software allows displaying the list of email data folder ways selectively or recursively. It displays the information such as “Tag, Subject, From, To, Sent & Received date, MD5, SHA1, Unread”. This view of the data helps to obtain brief details of an
Tool allow examining the Hotmail email data in different ways such as “Mail, Hex, Properties, Message Header, MIME, Email Hop, HTML, RTF, Attachments”. Each of the
Email Hop: It will help to find and