EMAIL FORENSICS

The reason email forensics come into part of the digital forensics investigation is due to the massive and
common use of emails among people nowadays.

People’s using email to communicate with their friends, schoolmates, colleagues and a variety of people.
Hence, numerous data and information is transmitted.

In fact, it’s a severe public concern that a majority of criminals are using email for their crime committed
in recent years, especially when it comes to cyber security and digital crime.

That’s being said, we do want to unveil the operation theory of email and thus extract email related crimes
via email forensics to bring the criminals to justice.
What is Email Forensics?

Email forensics is dedicated to investigating, extracting, and analyzing emails to

collect digital evidence as findings in order to crack crimes and certain incidents, in a
forensically sound manner.

The process of email forensics, it’s conducted across various aspects of emails, which
mainly includes

• Email messages
• Email addresses(sender and recipient)
• IP addresses
• Date and time
• User information
• Attachments
• Passwords
• logs (Cloud, server, and local computer)
How Email Works?

Example: A man writes an email on his digital device, maybe a phone or computer, and then sends it to
the one he wants to. Though it’s seemingly the man has finished his work, the upon email processing
work just starts in order to successfully and correctly be delivered to the recipient.

When an email is sent out, countless servers are actually undertaken the whole information of the email
before it can really arrive in the recipient’s inbox, which is said that we have to understand what’s
proceeding after we click the “send” button.
Email Programs and Protocols:

During the process, there are 3 protocols and 3 email programs related.

• Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to transmit and send emails.

• Internet Message Access Protocol (IMAP): it is one of the standard protocols used for receiving
emails.

• POP3 (Post Office Protocol 3): it is one of the standard protocols used to receive mail.

• Mail Transfer Agent (MTA): sends and forwards emails through SMTP. e.g. Sendmail, postfix.

• Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or POP3 protocol to
communicate with the server. e.g. Outlook, Apple Mail, Gmail.

• Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud disk or designated
location, meanwhile it usually scans for spam mails and viruses. e.g. Promail, Dropmail.

• Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts with MUA. e.g.
dovecot
STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical MUAs include
Gmail, Apple Mail, Mozilla Thunderbird, and Microsoft Outlook Express.

STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s mail transfer agent
(MTA) – the delivery process uses the SMTP protocol.

STEP 3: The MTA then checks the recipient of the message (here we assume it is you), queries the DNS
server for the domain name corresponding to the recipient MTA, and sends the message to the recipient
MTA – again using the SMTP protocol.

At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet Server
Provider)’s a mail server and forwarded to your domain.

The mail will be transferred to another MTA during the transmission process, MTA will take over the
mail and be responsible for delivery.
Then, the MTA will deliver the mail to a mail delivery agent (MDA).

The main function of the MDA is to save the mail to the local disk. Specific MDAs can also be
developed with other functions, such as mail filtering or direct mail delivery to other file locations. Thus,
it should be noted that it is MDA that completes the function of storing mail on the server.
STEP 4: Now, it’s time for you to check your mail.

Running MUA, you can use the IMAP protocol or POP3 protocol to query the mail server for
your mail. The mail server first confirms your identity, then retrieves the mailing list from the
mail store and returns the list to the MUA.
How to Conduct Email Forensics Investigation?

• Local Computer-based emails: For local computer-based email data files, such as Outlook .pst or .ost
files.

• Cloud ） Server-based emails: For （ Cloud ） Server based email data files, it’s not possible to
conduct complete forensic work until you obtain the electronic copies in the (Cloud)server database
under the consent of the service providers.

• Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more likely possible to just
filter specific keywords to extract email address-related information instead of the overall email data
and information compared to local computer-based emails.
Viewing and Analyzing E-mail Headers:
Check the below explanations

• From: Address of the actual sender acting on behalf of the author listed in the From field

• To: The email address and, optionally, the name of the message’s primary recipient(s)

• Cc: Carbon copy; a copy is sent to secondary recipients

• Bcc: Blind carbon copy; a copy is sent to addresses added to

• Subject: A brief summary of the topic of the message

• Date: A brief summary of the topic of the message

• (In)Reply-To: The message-ID of the message that this is a reply to; used to link related messages
together
• Message-ID: An automatically generated field

• Content-Type: Information about how the message is to be displayed, usually a Multipurpose

Internet Mail Extensions (MIME) type

• Precedence: —Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated
“vacation” or “out of office” responses should not be returned for this mail, for example, to prevent
vacation notices from being sent to all other subscribers of a mailing list

• Received: Tracking information generated by mail servers that have previously handled a message,
in reverse order (last handler first)

• References: Message-ID of the message to which this is a reply

• The main piece of information you’re looking for is the originating e-mail’s domain address or IP
address. Other than that, helpful information includes the date and time the message was sent,
filenames of any attachments, and unique message number, if it’s supplied.
Email Server Investigation:

In extreme cases, even though both emails have been deleted from both sides between senders and
recipients, a copy might be still on the server, since there is always retention on the server after the email is
successfully delivered each time due to specific government regulations for email.

Some Most popular email server software under consideration:

• Exchange Server (.edb)

• Exchange Public Folders (pub.edb)
• Exchange Private Folders (priv.edb)
• Streaming Data (priv.stm)
• Lotus Notes (.nsf)
• GroupWise (.db)
• GroupWise Post Office Database (wphost.db)
• GroupWise User Databases (userxxx.db)
• Linux Email Server Logs/var/log/mail.*
Software embedded identifiers

Actually, information about the sender and attached files could be found sometimes in an email when you
technically examine it, since in most cases, the senders tend to customize their header under Multipurpose
Internet Mail Extensions (MIME) with a Transport Neutral Encapsulation Format(TNEF).

Attachment Analysis

If the files happened to be deleted, you’re suggested to consult with a digital forensic agency or use email
forensics tools like DRS to recover files so that you could better examine every piece of them.

Bulk Email Forensics

Significant mailbox collections tend to be examined, analyzed, and used as proof in legal instances. Email
messages can be forged like physical documents. Moreover, since an email doesn’t directly reach the
receiver to the sender, recording its actual way with accurate timings is a challenging aspect.