2CEIT78PE8_Forensics&CyberLaw Practical-6

Practical-6
Aim:CollectEmailEvidenceinVictimPCusingvariousE-MailForensicTools.

Tool-1:dumpittool andbulkextractorviewer

To collect email evidence from Victim PC the first step is to capture the victim’s RAM. This can
bepossible using dumpit tool. This utility is used to generate a physical memory dump of
Windowsmachines. It works with both x86 (32-bits) and x64 (64-bits) machines. The raw memory
dump isgenerated in the current directory, only a confirmation question is prompted before
starting. RunDumpit.exe file the raw memory dump will be generated and save to the same
directory. (DownloadLink:https://down10.software/download-dumpit/download/)

RunDumpit.exefromcommandprompt:

Write‘Y’ forProcessing

Theoutput.RAWfilewill beasfollows:

18012021041
Patel Dhairya 1
2CEIT78PE8_Forensics&CyberLaw Practical-6

ThenDownloadbulkextractorviewer
Download Link:
https://bulkextractor.software.informer.com/download/#downloadingNowopenbulke
xtractorviewerandclickontogeneratereport.

Nowselectthedumpitimagefileandselectanoutput
folderforthereportandclickonstartbulkextractorasseenbelow:ClickTools-->RunBulk_extractor

SelectImagefile(.Raw)filewhichisgeneratedusingdumpit.Specifytheoutputdirectoryalso.

18012021041
Patel Dhairya 2
2CEIT78PE8_Forensics&CyberLaw Practical-6

NowinordertoinvestigatethevictimsavedinformationofEmailIDClickonemail.txtasseenbelow:

Andalsoclickonemail_histogram.txt

Tool-2:eMailTrackerPro

DownloadeMailTrackerProfromhttp://www.emailtrackerpro.com/download.html

Tracinganemailheader:

18012021041
Patel Dhairya 3
2CEIT78PE8_Forensics&CyberLaw Practical-6

Step-1: To being tracing a header go to the File menu and click the Trace an email... option
asshownintheimageabove.

Step-2: Get email header fromOpen Gmail, open any E-mail, click on three dots and select
‘Showoriginal’,Clickoncopytoclipboard.

18012021041
Patel Dhairya 4
2CEIT78PE8_Forensics&CyberLaw Practical-6

Theimageabovehasbeensplitintothreesectionsforyourunderstanding.

1) Totraceaheaderyouhavetofirstselect thefirstoption, asshownintheimageabove.

2) Thetextboxshownaboveiswhereyouhavetopastetheemail headeryouwanttotrace

3) Once the header has been pasted into the Email headers section click the trace button, as
shownin the image above. (Note: open Gmail, open any E-mail, click on three dots and select
‘Showoriginal’,Clickoncopytoclipboard)

Next,ClickonMyTraceReport

When the trace has finished it will look similar to the image above. The email trace
tableshows you each hop between yourself and the email origin, giving you IP addresses,
nodenames and locations. The trace route is also shown on the map with the final location
pinpointed. To the right hand side, you have the email summary, whois information and
emailheader.Simplyclicktheheadingtovieweachoneseparately.

18012021041
Patel Dhairya 5
2CEIT78PE8_Forensics&CyberLaw Practical-6

E-MailHeaderAnalysisusingvariousMethods:

Step-1: OpenGmail,openanyE-mail, clickonthreedotsandselect‘Showoriginal’,Clickon

copytoclipboard.
Step-2: Search“Email HeaderAnalyzer”andyouwill findthevariousonlineemail header
analysissites/tools.
Step-3: Open“https://mxtoolbox.com/EmailHeaders.aspx”andpastetheGmailheader(Step-
1).Clickon‘AnalyzeHeader’
Step-4: Open“https://mailheader.org/”andpastetheGmailheader(Step-1). Clickon‘Submit’

Step-5: Open“https://toolbox.googleapps.com/apps/messageheader/“andpastetheGmail
header(Step-1).Clickon‘AnalyzetheHeaderabove’

RecoveringDeletedE-Mailsusingthe“RecoverMyEmail”utility.
(DownloadLink:https://getdata.com/recovermyemail/)

Download“sample.pst”file from: https://github.com/aspose-email/Aspose.Email-

forJava/blob/master/Examples/src/main/resources/outlook/sample.pst

18012021041
Patel Dhairya 6
2CEIT78PE8_Forensics&CyberLaw Practical-6

18012021041
Patel Dhairya 7