email forensics/ Srutinizing
e-mails (Investigation Using Emails)
Emails play a very important role in communications
and have emerged as one of the most important applications on internet. They
are a convenient and easy mode for sending messages as well as documents, not
only from computers but also from other electronic gadgets such as mobile
phones and tablets.
The negative side of emails is that adversaries(criminals)
may leak important information about a company through emails.
Hence, the role of emails in digital forensics has
been increased in recent years. In digital forensics, emails are considered as
crucial evidences and Email Header Analysis has become important to collect
evidence during forensic process.
An investigator has the following goals while
performing email forensics −
- To
identify the adversary(criminal)
- To
collect necessary evidences
- To
presenting the findings
- To
build the case
Challenges in Email Forensics
An email forensic investigator may face the following challenges
during the investigation
1. Fake Emails
The biggest challenge in email forensics is the use of fake
e-mails that are created by manipulating and scripting headers etc. In this criminals
also use temporary email which is a service that allows a registered user to
receive email at a temporary address that expires after a certain time period.
2. Spoofing
Another challenge in email forensics is spoofing in which
criminals used to present an email as someone else’s. In this case the machine
will receive both fake as well as original IP address.
3. Anonymous Re-emailing
Here, the Email server strips identifying information from the
email message before forwarding it further. This leads to another big challenge
for email investigations.
Techniques Used in Email Forensic Investigation
Email forensics is the study of source and content of email as
evidence to identify the actual sender and recipient of a message along with
some other information such as date/time of transmission and intention of
sender.
Some of the common techniques which can be used for email forensic
investigation are
Email headers contain essential information, including the
name of the sender and receiver, the path (servers and other devices) through
which the message has traversed, etc. The vital details in email headers
help investigators and forensics experts in the email investigation.
Email servers are investigated to locate the source of an
email. For example, if an email is deleted from a client application, sender’s,
or receiver’s, then related ISP or Proxy servers are scanned as they usually
save copies of emails after delivery. Servers also maintain logs that can be
analyzed to identify the computer’s address from which the email originated.
- Network Device Investigation
In some cases, logs of servers are not available. This can
happen for many reasons, such as when servers are not configured to maintain
logs or when an ISPs refuses to share the log files. In such an event,
investigators can refer to the logs maintained by network devices such as
switches, firewalls, and routers to trace the source of an email message.
- Sender Mailer Fingerprints
X-headers are email headers that are added to
messages along with standard headers, like Subject and To.
The x-originating-IP header can be used to find the original sender, i.e., the
IP address of the sender’s computer.
- Software Embedded Identifiers
Sometimes, the email software used by a sender
can include additional information about the message and attached files in the
email. For example, it can be found in Multipurpose Internet Mail Extensions
(MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom
header. An in-depth analysis of these sections can reveal vital details related
to the sender, like the MAC address, Windows login username of the sender and
much more.