Email header - analyzing email header

Email Header

The email header is a code snippet in an HTML email, that contains information about the sender, recipient, email’s route to get to the inbox and various authentication details. The email header always precedes the email body.

Purpose of email header:

• Providing information about the sender and recipient. An email header tells who sent the email and where it arrived. Some markers indicate this information, like “From:”  sender’s name and email address, “To:” the recipient’s name and email address, and “Date:” the time and date of when the email was sent. All of these are mandatory indicators. Other parts of the email header are optional and differ among email service providers.
• Preventing spam. The information displayed in the email header helps email service providers troubleshoot potential spam issues. ESPs(email Service Providers) analyzes the email header, the “Received:” tag, in particular, to decide whether to deliver an email or not.
• Identifying the email route. When an email is sent from one computer to another, it transfers through the Mail Transfer Agent which automatically “stamps” the email with information about the recipient, time and date in the email header. 

Analyzing an Email Header

To analyze it, you need to find the email header and examine the lines of interest to you. All the code from the beginning, until the <body> tag, represents the header. Here is the list of what you can find in the email header:

Received: lines. They show the address of the computer that received the email, as well as other computer’s addresses that an email may have been transferred through. Unlike other email header elements, Received: lines can’t be forged.

MIME-version. Multipurpose Internet Mail Extensions are an Internet standard that extends the format of email by supporting text and non-text attachments like audio, video, images, message bodies with multiple parts, etc.

Message-ID. The message-ID is a globally unique identifier used in email. Message-IDs have a specific format that is generated for a specific email address and message, thus, no two messages have the same Message-ID.

DKIM Signatures. DomainKeys Identified Mail confirms the sender’s authenticity by connecting the domain name with the email. DKIM is the technology that helps to reduce spam and phishing and allows companies to vouch for their email messages.

Srutinizing e-mails (Investigation Using Emails/email forensics)

email forensics/ Srutinizing e-mails (Investigation Using Emails)

Emails play a very important role in communications and have emerged as one of the most important applications on internet. They are a convenient and easy mode for sending messages as well as documents, not only from computers but also from other electronic gadgets such as mobile phones and tablets.

The negative side of emails is that adversaries(criminals) may leak important information about a company through emails.

Hence, the role of emails in digital forensics has been increased in recent years. In digital forensics, emails are considered as crucial evidences and Email Header Analysis has become important to collect evidence during forensic process.

An investigator has the following goals while performing email forensics −

• To identify the adversary(criminal)
• To collect necessary evidences
• To presenting the findings
• To build the case

Challenges in Email Forensics

An email forensic investigator may face the following challenges during the investigation

1. Fake Emails

The biggest challenge in email forensics is the use of fake e-mails that are created by manipulating and scripting headers etc. In this criminals also use temporary email which is a service that allows a registered user to receive email at a temporary address that expires after a certain time period.

2. Spoofing

Another challenge in email forensics is spoofing in which criminals used to present an email as someone else’s. In this case the machine will receive both fake as well as original IP address.

3. Anonymous Re-emailing

Here, the Email server strips identifying information from the email message before forwarding it further. This leads to another big challenge for email investigations.

Techniques Used in Email Forensic Investigation

Email forensics is the study of source and content of email as evidence to identify the actual sender and recipient of a message along with some other information such as date/time of transmission and intention of sender. 

Some of the common techniques which can be used for email forensic investigation are

• Header Analysis

Email headers contain essential information, including the name of the sender and receiver, the path (servers and other devices) through which the message has traversed, etc. The vital details in email headers help investigators and forensics experts in the email investigation.

• Server investigation

Email servers are investigated to locate the source of an email. For example, if an email is deleted from a client application, sender’s, or receiver’s, then related ISP or Proxy servers are scanned as they usually save copies of emails after delivery. Servers also maintain logs that can be analyzed to identify the computer’s address from which the email originated.

• Network Device Investigation

In some cases, logs of servers are not available. This can happen for many reasons, such as when servers are not configured to maintain logs or when an ISPs refuses to share the log files. In such an event, investigators can refer to the logs maintained by network devices such as switches, firewalls, and routers to trace the source of an email message.

• Sender Mailer Fingerprints

X-headers are email headers that are added to messages along with standard headers, like Subject and To. The x-originating-IP header can be used to find the original sender, i.e., the IP address of the sender’s computer.

• Software Embedded Identifiers

Sometimes, the email software used by a sender can include additional information about the message and attached files in the email. For example, it can be found in Multipurpose Internet Mail Extensions (MIME) content as a Transport Neutral Encapsulation Format (TNEF) or custom header. An in-depth analysis of these sections can reveal vital details related to the sender, like the MAC address, Windows login username of the sender and much more.

 

 

 

HTTP Protocols

HTTP Protocols

HTTP (Hypertext Transfer Protocol) is the underlying communication protocol of World Wide Web. HTTP functions as a request–response protocol in the client–server computing model.

HTTP has four versions — HTTP/0.9, HTTP/1.0, HTTP/1.1, and HTTP/2.0. The common version in use is HTTP/1.1 and the future will be HTTP/2.0.

HTTP/0.9 — The One-line Protocol

• It is initial version of HTTP, a simple client-server, request-response, telenet-friendly protocol
• Request nature is single-line (method + path for requested document)
• Methods supported by this version is GET only
• Response type is hypertext only
• Connection  is terminated immediately after the response
• No HTTP headers (cannot transfer other content type files), No status/error codes, No URLs, No versioning

HTTP/1.0 — Building extensibility

• Browser-friendly protocol
• Provided header fields including rich metadata about both request and response (HTTP version number, status code, content type)
• Response is not limited to hypertext (Content-Type header provided ability to transmit files other than plain HTML files — e.g. scripts, stylesheets, media)
• Methods supported are GET , HEAD , POST
• Connection is terminated immediately after the response

HTTP/1.1 — The standardized protocol

• This is the HTTP version currently in common use.
• Introduced critical performance optimizations and feature enhancements — persistent and pipelined connections, chunked transfers, compression/decompression, content negotiations, virtual hosting (a server with a single IP Address hosting multiple domains), faster response and great bandwidth savings by adding cache support.
• Methods supported are GET , HEAD , POST , PUT , DELETE , TRACE , OPTIONS
• Connection is long-lived

HTTP/2.0

With Upgrade header introduced in HTTP/1.1, it is possible to start a connection using a commonly-used protocol, such as HTTP/1.1, then request that the connection switch to an enhanced protocol type like HTTP/2.0 or WebSockets.

HTTPS

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP. It uses SSL/TLS for secure encrypted communications.

An HTTPS connection can protect the data transfer from the man-in-the-middle attacks and common security threats by providing bidirectional encryption for communications between a client and server.

Although HTTPS is secure by its design, the SSL/TLS handshake process consumes a significant time before establishing an HTTPS connection. It normally costs 1–2 seconds and drastically slows down the startup performance of a website.