Emails play a crucial role in investigating a cybercrime as it contains relevant evidence. Digital forensic investigators go through every single attribute of email to find clues to solve the case. Since hackers often manipulate emails, email forensic experts need to check email properties thoroughly to extract vital evidence.
Email properties contain various crucial information that helps investigators determine whether the email, in some way, is altered or not. Before examining the properties of an email, it’s essential to understand what information it holds. Moreover, where should you look for?
Let’s find the answers to the above queries.
Email Properties – A Brief Introduction
Email properties carry important information about the message that has been traversed before reaching its final destination. This information includes the sender’s and recipient’s names, CC, BCC, Message header ID, Dates received & sent, SPF, DKIM, DMARC info, MD5, SHA1, and SHA256 details.
However, different email clients display the email details differently, and finding methods are also distinct. This complexity makes it difficult for forensic examiners to read the email properties of messages.
For instance,
1. In Gmail, it shows the information related to message ID, From, To, Created on, Subject, SPF, DKIM, and DMARC. To find these details, you need to follow the below procedure:
- Open a particular email >> Click on the vertical three dots >> Press the Show Original option.
- After that, it’ll redirect you to another tab showing the original message information.
2. In the Outlook desktop-based client, you’ll find the message details in the ‘internet header’ section. The steps to find the header is as follows;
- Double-click on the email >> Click on File >> Properties.
3. In Apple mail, you’ll get the message header information such as Return-path, Original-Recipient, Received From, Message-ID, MIME version, etc. by following the below steps:
- Open a particular email >> Go to View tab >> Click on Message >> Raw Source.
The above examples show how you can view the email properties of different email clients.
But, unfortunately, they don’t display all the properties that are essential to carry out an email investigation. That’s why a professional email forensics tool is recommended.
Why Opt For a Professional Solution to Check Email Properties?
When it comes to investigating a case related to cybercrime, every minute detail counts. From sender/receiver info to hash values, everything matters. Yes, the hash value is also important because it helps in determining the data integrity.
Since manually it’s quite a task to dig out the email details, especially the hash values & whether the message is encrypted or not, the ingenious tool becomes very useful.
MailXaminer is able to carve out each and every detail of the email message which can be helpful for investigating officers. To get a clear picture of what it displays, refer to the below images.
From the above figures, it’s clear that the tool provides all the necessary information that an investigation officer may need to check email properties.
Furthermore, the tool is capable of doing so many things.
Advanced Features of the Well-Engineered Tool
The tried and tested software is not only helpful in investigating and tracking suspicious emails but also useful in various other cases. The tool can examine image content using advanced OCR capabilities.
Secondly, the robust forensic keyword search function is proved to be helpful in finding evidence from the bulk of electronic data.
In addition, the tool can track connections between the suspects through Advanced Intelligent Link Analysis.
Apart from reading the email properties of a message and the aforementioned functionalities, there are other benefits of using the tool. Such as,
- You’ll be able to search terabytes of data from 20+ different file formats like PST, OST, MBOX, EDB, etc.
- The tool supports 80+ email clients. Gmail, Office 365, iCloud, Rackspace, and Hotmail are a few to name.
- The interface is very simple to work with. That means if you are not a technically sound person then it won’t be an issue.
- It allows you to perform forensic analysis on Skype data such as calls, chats, etc.
Conclusion
Nowadays, the use of electronic documents (mostly emails) as evidence is playing an important part in legal proceedings. Further, checking email properties becomes crucial while investigating a case related to cybercrime. Hence, it only seems feasible to use an expert-recommended tool that can look into the details and prove to be helpful during the entire analysis process.