E-mail forensics investigation- Tools and Techniques
An email has become
a key contact channel for many official activities due to the rapid
proliferation of internet users across the world. Not only businesses, but also
individuals, use email for important business activities such as banking,
exchanging official messages, and sharing confidential files. However, this
mode of communication has become vulnerable to cyber-attacks. This article
focuses on email architecture and existing forensic investigation techniques.
What is
E-mail forensics?
E-mail forensics
is the analysis of the source and content of the e-mail as evidence in order to
locate the sender. The actual sender and receiver of a message, the date/time
of transmission, a comprehensive record of the e-mail transaction, the sender's
purpose, and so on. This research entails investigating metadata, keyword
matching, port scanning, and other methods for authorship attribution and
identifying e-mail scams. Being a part of digital forensics, it needs digital forensics training and tools to
get investigation to happen smoothly and correctly. To review emails and collect
digital evidence, email forensics professionals employ some of the following techniques:
E-mail
forensics Approaches
1.
Header Analysis
The main analytical
technique is email header analysis. This entails examining the metadata in the
email header. It is obvious that reviewing headers aids in the detection of the
vast majority of email-related crimes. The header can be used to detect email
spoofing, phishing, spam, scams, and even internal data leaks.
2. E-mail server investigation
To determine the
source of an email, email servers are investigated. If an email is removed from
the client program, the sender's or the receiver's, the associated ISP, or proxy
servers are scanned since they usually save copies of emails after delivery.
Servers often keep records that can be checked to determine the device from
which the email was sent. It's worth noting that large ISPs often archive HTTP
and SMTP (common messaging initiation protocol) logs. If a log is archived,
tracing relevant emails will take a long time and effort since decompression
and extraction techniques are needed. As a result, it is important to review
the logs as soon as possible until they are archived.
3. Investigation of network devices
Sometimes to investigate the source of an email message, the investigator may need to consult the logs kept by network devices such as routers, firewalls, and switches. This is frequently a dynamic circumstance in which the primary proof is not 100 percent conclusive (when the ISP or proxy does not maintain logs or lacks operation by ISP).
4. Software Embedded analysis
The email program used by the sender to compose the email can provide any information
about the sender, attached files or documents, or both, with the message. This
information can be used as custom headers or as MIME content as a Transport
Neutral Encapsulation Format (TNEF).
5. Sender mailer fingerprints
The Received header field can be used to identify software handling e-mail at the server,
and a different set of headers, such as “X-Mailer” or similar, can be used to
identify software handling e-mail at the device. These headers define the
program and variants that are used by clients to send e-mail. This knowledge
about the sender's client machine can be used to assist investigators in
devising an effective strategy and thus prove to be very useful.
Email investigation tools
If there are
many suspects involved and a large number of email mailboxes need to be analyzed,
email forensic investigation can become difficult. Even though the strategies
mentioned above are very useful, they can take a long time to implement correctly.
For quick and precise research, professionals use enterprise-grade Digital forensic tools like E3 EMX
and E3 NEMX developed by Paraben Corporations. These tools provide functions
such as multiple email views, advanced keyword search filters, deleted email
recovery, and so on. These systems also produce proof reports and provide case
management resources to help you handle several cases at once.
Comments