E-mail forensics investigation- Tools and Techniques

An email has become a key contact channel for many official activities due to the rapid proliferation of internet users across the world. Not only businesses, but also individuals, use email for important business activities such as banking, exchanging official messages, and sharing confidential files. However, this mode of communication has become vulnerable to cyber-attacks. This article focuses on email architecture and existing forensic investigation techniques.

What is E-mail forensics?

E-mail forensics is the analysis of the source and content of the e-mail as evidence in order to locate the sender. The actual sender and receiver of a message, the date/time of transmission, a comprehensive record of the e-mail transaction, the sender's purpose, and so on. This research entails investigating metadata, keyword matching, port scanning, and other methods for authorship attribution and identifying e-mail scams. Being a part of digital forensics, it needs digital forensics training and tools to get investigation to happen smoothly and correctly. To review emails and collect digital evidence, email forensics professionals employ some of the following techniques:

E-mail forensics Approaches

1.       Header Analysis

The main analytical technique is email header analysis. This entails examining the metadata in the email header. It is obvious that reviewing headers aids in the detection of the vast majority of email-related crimes. The header can be used to detect email spoofing, phishing, spam, scams, and even internal data leaks.

2.          E-mail server investigation

To determine the source of an email, email servers are investigated. If an email is removed from the client program, the sender's or the receiver's, the associated ISP, or proxy servers are scanned since they usually save copies of emails after delivery. Servers often keep records that can be checked to determine the device from which the email was sent. It's worth noting that large ISPs often archive HTTP and SMTP (common messaging initiation protocol) logs. If a log is archived, tracing relevant emails will take a long time and effort since decompression and extraction techniques are needed. As a result, it is important to review the logs as soon as possible until they are archived.

3.         Investigation of network devices

Sometimes to investigate the source of an email message, the investigator may need to consult the logs kept by network devices such as routers, firewalls, and switches. This is frequently a dynamic circumstance in which the primary proof is not 100 percent conclusive (when the ISP or proxy does not maintain logs or lacks operation by ISP).

4.         Software Embedded analysis

The email program used by the sender to compose the email can provide any information about the sender, attached files or documents, or both, with the message. This information can be used as custom headers or as MIME content as a Transport Neutral Encapsulation Format (TNEF).

5.        Sender mailer fingerprints

The Received header field can be used to identify software handling e-mail at the server, and a different set of headers, such as “X-Mailer” or similar, can be used to identify software handling e-mail at the device. These headers define the program and variants that are used by clients to send e-mail. This knowledge about the sender's client machine can be used to assist investigators in devising an effective strategy and thus prove to be very useful.

Email investigation tools     

If there are many suspects involved and a large number of email mailboxes need to be analyzed, email forensic investigation can become difficult. Even though the strategies mentioned above are very useful, they can take a long time to implement correctly. For quick and precise research, professionals use enterprise-grade Digital forensic tools like E3 EMX and E3 NEMX developed by Paraben Corporations. These tools provide functions such as multiple email views, advanced keyword search filters, deleted email recovery, and so on. These systems also produce proof reports and provide case management resources to help you handle several cases at once.