Email is the most necessary communication tool these days to send/receive business mail. Unfortunately, it has also become the primary medium for conducting cyber-attacks. However, the culprit behind those attacks can be easily found by examining the email alone, especially via email header analysis forensics.
In fact, when forensics investigation is involved, the term ‘Email header’ act as a goldmine for the investigators. That’s because it gives them clues and helps trace illegal and unauthorized activities.
Undoubtedly, the email header contains a lot of information, but, most of them are not displayed to the user. Not directly. Yes, you can only see a few components such as From, To, CC, BCC, and Subject fields.
In other words, full email headers are hard to find if you don’t know where to look. So, let’s get familiar with the steps for email header analysis in different email clients.
|S.No||Email Client Headers|
|4||Outlook Web App|
|10|| The Bat!
View Gmail Header
Open a particular email in Gmail. Then, click on three vertical dots and press ‘Show original’ to view all the information in the email header.
View Outlook Header
You can perform Outlook PST file forensics to help investigators obtain sender details and other email related informations. To get email header properties of Microsoft Outlook follow the steps given below:
Copy the header information to Notepad or any other text editor for the easy analysis of the header parameters. Analysis of these data will help the forensic examiners/ Investigators to identify sender email address and locate the sender.
View Apple Mail Header
To start with Apple mail forensics and email header analysis, Click on a specific email on Apple Mail. Then, go to the View tab >> Message >> Raw Source to view the email header information.
View Outlook Web App Email Header
Open an email on Outlook. Then, press More and finally click on View message details.
View Lotus Notes Header
When a user send the message using Lotus Notes the server adds an unique field in the header data. A user cannot see this field through the normal email message view. The Lotus Notes NSF file forensics process help the investigators to identify email spamming, spoofing and the actual rout of the email message. To perform email header forensics of Lotus Notes data, please follow the below process:
Understanding the purpose of each header field carefully will help the help the investigators to identify the evidence during the cyber crime investigation.
Retrieve Thunderbird Mail Header
Since Thunderbird is one of the leading email applications used to share email messages between the users, the chance of email crimes through this platform is also very high. Any manipulation or discrepancy of the email content can be easily identified by the careful email header forensics while performing Thunderbird forensics. Before the analysis, understand how to get email header from the Thunderbird application.
View Entourage Header
Entourage is an open source email client also known as personal information manager commonly used for communicate email messages between the email users. Follow the steps given below to perform Entourage Forensics and examine email headers for extracting the email related informations.
Access Eudora Email Header
Eudora is an open source desktop based email client. The careful study of Eudora email header field helps to access the complete information of the email messages such as sender receiver address, the server that handles the sharing etc. during Eudora email forensics.
View IncrediMail Header
IncrediMail is an advanced email application which provides great feature experience while working with it. It also allows users to work in offline mode with great protection from spam and fraud emails. To get email header data during the forensic analysis of IncrediMail mailbox follow the below process.
Using this method, a user can easily open and examine the IncrediMail header data manually.
View Email Headers of The Bat!
The Bat! is a desktop based email application known for its security, interface customization and filtering capability. Whenever an email communication is take place through The Bat!, the predefined server append unique field to header of the email. By the careful forensic analysis of The Bat! mailbox, you can get all the desired information through forensic email header analysis.
By following the above instructions you will be able to open and view the header information. However, sometimes it becomes difficult to analyze them. Let’s see why.
As you already know that the email header displays only a few components to a user. But, the staggering fact is that those can be easily forged! In cyber security terminology, it’s called Email Spoofing.
In this kind of cyber attack, the hacker manipulates the email header in such a way that the client software displays the fraudulent sender address. As a result, it makes it challenging to distinguish whether the sender's address is genuine or not.
Furthermore, you can’t recognize a fraudulent email address just by looking at the email header. It calls for special equipment, preferably a professional email header analyzer tool, to examine and find out who the actual sender of the email is.
To tackle today’s advanced hackers and the challenges involved in investigating emails, our IT team has come up with an ultimate Email Forensics Tool. It is designed dedicatedly to examine and analyze emails. With the help of the software, you can easily view all the components of the email header (regardless of email client) and analyze it at the same time.
It shows the MIME version, Message ID, Content type, CC, BCC, From, Sender address, etc. in detail. Therefore, tracing the digital footprints of the actual sender of the email becomes easier.
While analyzing an email, there are a lot of challenges that come in the way in various forms. For instance, when an email comes for an investigation, it’s not necessarily in a readable format. It can be encrypted or corrupted or even deleted from an evidence file. And, that’s when the need for the tool arises to better examine and investigate the email.
Also, MailXaminer is not only helpful for analyzing email headers but is also capable of performing other tasks. Such as:
In most cyber-crime scenes, email is considered digital evidence and further handed over to cyber experts for investigation. The first thing investigators look into is email header analysis since it contains a lot of information about the path that the message has traversed.
Though email headers carry crucial data, using a specialized tool is recommended to gather and preserve evidence in the form of reports.