Email Digital Forensics: Investigation Techniques

Due to the rapid spread of internet use all over the world, email has become a primary communication medium for many official activities. Not only organizations, but also members of the public tend to use emails in their critical business activities such as banking, sharing official messages, and sharing confidential files. However, this communication medium has also become vulnerable to attacks.

This item provides some techniques on email architecture and existing investigation used by forensic investigators.

Email forensic examination, anti-forensic analysis ~

 
2. Email meta data

2. Email meta data

Email Architecture

When a user sends an email to a recipient, this email does not travel directly into the recipient’s mail server. Instead it passes through several servers. The MUA is the email ‘program’ that is used to compose and read the email messages at the client end [1].

There are multiple MUAs available such as: Microsoft Outlook, Gmail, and Lotus Notes.

MTA is the server that receives the message sent from the MUA. Once the MTA receives a message it decodes the header information to determine where the message is going, and delivers the message to the corresponding MTA on the receiving machine [1].

Every time when a specific MTA receives the message, it modifies the header by adding data. When the last MTA receives the message, it decodes it and sends to the receiver’s MUA, so the message can then be seen by the recipient.

Therefore an email header has multiple pieces of server information, including IP addresses.

 
3. Email forensics

3. Email forensics

[re] Build it.

In order to understand the header information, it is necessary to understand the structured set of fields available in the header.

The use of an email is based around the use of electronic mailboxes. When an email is sent, the message is routed from server to server, all the way to the recipient's email server. More specifically, the message is sent to the mail server tasked with transporting emails (called the MTA, for Mail Transport Agent) to the recipient's MTA. On the Internet, MTAs communicate with one another using the protocol SMTP, and so are logically called SMTP servers - or sometimes outgoing mail servers.

Email Architecture and its components are ‘hidden’ from plain site, but underpins the ‘plain text’ email.

The following are some of the basic field names and descriptions:

 

Email Forensic Investigation Techniques ~

Email forensics refers to analyzing the source and content of emails as evidence.

Investigation of email-related crimes and incidents involves various approaches. 

Header Analysis

Email header analysis is the primary analytical technique. This involves analyzing metadata in the email headers. It is evident that analyzing headers helps to identify the majority of email-related crimes. Email spoofing, phishing, spam, scams and even internal data leakages can be identified by analyzing the header using specific scientific processes. 

Server Investigation

This involves investigating copies of delivered emails and server logs. In some organizations they do provide separate email boxes for their employees by having internal mail servers. In this case, investigation may involve the extraction of the entire email box related to the case and the server logs.

Network Device Investigation

In some investigations, the investigator requires the logs maintained by the network devices such as routers, firewalls and switches to investigate the source of an email message.  This is often a complex situation where the primary evidence is not present (when the ISP or proxy does not maintain logs or lacks operation by ISP [2]). 

Software Embedded Analysis

Some information about the sender of the email, attached files or documents may be included with the message by the email software used by the sender for composing the email [2]. This information may be included in the form of custom headers or in the form of MIME content as a Transport Neutral Encapsulation Format (TNEF) [2].

Sender Mail Fingerprints

The “Received” field includes tracking information generated by mail servers that have previously handled a message, in reverse order. The “X-Mailer” or “User-Agent” field helps to identify email software. Analyzing these fields helps to understand the software, and the version used by the sender.

Use of Email Trackers

In some situations, attackers use different techniques and psuedo-locations to generate emails. In such situations it is important to find out the geographical location of the attacker. To get the exact location of the attacker, investigators often use email tracking software embedded into the body of an email. When a recipient opens a message that has an email tracker attached, the investigator will be notified with the IP address and geographical location of the recipient. This technique is often used to identify suspects in murder or kidnapping cases, where the criminal communicates via email. 

Where email trackers are not feasible, other IT digital forensic processes, apps and toolsets may be used.

Volatile Memory Analysis

Recent research has been conducted in analyzing spoofed mails from volatile memory [3]. Since everything passes through volatile memory, it is oftentimes possible to extract email related evidence such as: header information, meta data, etc. from volatile memory. 

Attachment Analysis

Many viruses and malware are sent through email attachments. Investigating attachments is crucial in any email-related investigation.

Confidential information leakage is another important field of investigation. There are software tools available to recover email-related data, such as attachments from computer hard discs. For the analysis of suspicious attachments, investigators can upload documents into an online sandbox such as VirusTotal [3, 4] to check whether the file is malware or not.

However, it is important to bear in mind that even if a file passes a test such as VirusTotal’s, this is not a guarantee that it is fully safe. If this happens, it is a good idea to investigate the file further in a sandbox environment such as Cuckoo or VMWare.

Digital forensics and anti-forensics.