How Email works?
Just like other digital forensics technology, it’s not easy to conduct forensics without understanding the basis of the underlying technologies.
Emails are probably generated from various mediums and approaches and thus different technologies are applied accordingly.
Commonly speaking, a man writes an email on his digital device, maybe a phone or computer, and then sends it to the one he wants to. Though it’s seemingly the man has finished his work, the upon email processing work just starts in order to successfully and correctly be delivered to the recipient.
When an email is sent out, countless servers are actually undertaken the whole information of the email before it can really arrive in the recipient’s inbox, which is said that we have to understand what’s proceeding after we click the “send” button.
Email Programs and Protocols
During the process, there are 3 protocols and 3 email programs tightly related and are vital to be known.
- Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to transmit and send emails.
- Internet Message Access Protocol (IMAP): it is one of the standard protocols used for receiving emails.
- POP3 (Post Office Protocol 3): it is one of the standard protocols used to receive mail.
- Mail Transfer Agent (MTA): sends and forwards emails through SMTP. e.g. Sendmail, postfix.
- Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or POP3 protocol to communicate with the server. e.g. Outlook, Apple Mail, Gmail.
- Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud disk or designated location, meanwhile it usually scans for spam mails and viruses. e.g. Promail, Dropmail.
- Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts with MUA. e.g. dovecot
The theory of email running
Let’s take an example below for instance to better explain the theory of email running.
- STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical MUAs include Gmail, Apple Mail, Mozilla Thunderbird, and Microsoft Outlook Express.
- STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s mail transfer agent (MTA) – the delivery process uses the SMTP protocol.
- STEP 3: The MTA then checks the recipient of the message (here we assume it is you), queries the DNS server for the domain name corresponding to the recipient MTA, and sends the message to the recipient MTA – again using the SMTP protocol.
At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet Server Provider)’s a mail server and forwarded to your domain.
What will happen next?
Considering different network configurations, it is very likely that the mail will be transferred to another MTA during the transmission process, but eventually, an MTA will take over the mail and be responsible for delivery.
Then, the MTA will deliver the mail to a mail delivery agent (MDA).
The main function of the MDA is to save the mail to the local disk. Specific MDAs can also be developed with other functions, such as mail filtering or direct mail delivery to other file locations. Thus, it should be noted that it is MDA that completes the function of storing mail on the server.
- STEP 4: Now, it’s time for you to check your mail.
Running MUA, you can use the IMAP protocol or POP3 protocol to query the mail server for your mail. The mail server first confirms your identity, then retrieves the mailing list from the mail store and returns the list to the MUA.
Now you can read the message.
Message location of an email
Even if we know the running theory of emails, it’s recommended to be noted that different configuration on the recipient’s email client varies the copies of the message to be saved.
Additionally, any server that sends a message from a party to a recipient can keep a copy of the email.
With the above root principle, it’s going to equip your initial ideas before conducting your email forensics investigation.
How to conduct Email Forensics investigation?
With the increasing popularity of the use of email based on the boom of the internet, some typical crimes are tied to email. For instance, financial crime, cyber security, and extortion software, to name a few.
To bring the criminals to justice, it’s crucial to look into investigative emails.
Before we can dive into the major investigative extraction working directions of email forensics, be noted:
- Local Computer-based emails: For local computer-based email data files, such as Outlook .pst or .ost files, it’s recommended to follow our following techniques directly.
- （Cloud）Server-based emails: For （Cloud）Server based email data files, it’s not possible to conduct complete forensic work until you obtain the electronic copies in the (Cloud)server database under the consent of the service providers.
- Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more likely possible to just filter specific keywords to extract email address-related information instead of the overall email data and information compared to local computer-based emails.
Viewing and Analyzing E-mail Headers
The primary evidence in email investigations is the email header where massive and valuable information could be found.
When carrying out the analysis, you’d be advised to get started from the bottom to the top, since the most crucial information from the sender would be on the bottom while information about the receiver would be on the topmost.
Since we already talked about MTAs where you could find out the route of the email transferred, it should be good for you to give it a detailed scan of the email header.
Here’s a sample for your information:
If you’re still not familiar with the fields, check the below explanations:
- From: Address of the actual sender acting on behalf of the author listed in the From field
- To: The email address and, optionally, the name of the message’s primary recipient(s)
- Cc: Carbon copy; a copy is sent to secondary recipients
- Bcc: Blind carbon copy; a copy is sent to addresses added to
- Subject: A brief summary of the topic of the message
- Date: A brief summary of the topic of the message
- (In)Reply-To: The message-ID of the message that this is a reply to; used to link related messages together
- Message-ID: An automatically generated field
- Content-Type: Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type
- Precedence: —Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list
- Received: Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first)
- References: Message-ID of the message to which this is a reply
The main piece of information you’re looking for is the originating e-mail’s domain address or IP address. Other than that, helpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it’s supplied.
Give all of them a complete analysis before you move to the next step.
Email Server Investigation
To locate the source of an email, it’s required to investigate the email’s servers. Since it’s not surprising criminals tend to delete their emails in case of being caught or accused of sensitive emails.
However, there is still a chance to get them back.
In extreme cases, even though both emails have been deleted from both sides between senders and recipients, a copy might be still on the server, since there is always retention on the server after the email is successfully delivered each time due to specific government regulations for email.
Whereas, you don’t want to miss out on investigating the log before it is archived after a certain period.
For your better work implementation, take below most popular email server software under consideration:
- Exchange Server (.edb)
- Exchange Public Folders (pub.edb)
- Exchange Private Folders (priv.edb)
- Streaming Data (priv.stm)
- Lotus Notes (.nsf)
- GroupWise (.db)
- GroupWise Post Office Database (wphost.db)
- GroupWise User Databases (userxxx.db)
- Linux Email Server Logs/var/log/mail.*
If there is no log from the email server due to various reasons, for instance, incorrect configuration on the email server, another approach is worth trying, which is the network service.
In certain cases, an internet service provider (ISP) or any other communications network stores an email. Therefore, investigators are recommended to examine the network devices such as routers and there might be chances for some clue of the source of an email.
Software embedded identifiers
When looking deep enough at the email software, a higher level analysis of the extra information on it comes into account.
Actually, information about the sender and attached files could be found sometimes in an email when you technically examine it, since in most cases, the senders tend to customize their header under Multipurpose Internet Mail Extensions (MIME) with a Transport Neutral Encapsulation Format(TNEF).
As is known to us all, sometimes, our computer gets infected when we surf the Internet and open specific files. To cause the issue, viruses and malware are most skeptical.
When it comes to emails, it’s also very common for a problematical attachment to be found and thus it’s really worth investigating the attached files.
However, if the files happened to be deleted, you’re suggested to consult with a digital forensic agency or use a data recovery tool like DRS to recover them so that you could better examine every piece of them.
After the attachment’s retrieval, you’d better analyze those suspicious files under a sandbox environment in case the file is malware and do harm to your computer.
Bulk Email Forensics
Significant mailbox collections tend to be examined, analyzed, and used as proof in legal instances. Therefore, legal experts have to work with large mailboxes in many circumstances. Most email service applications, like Perspective and Gmail, give a dashboard embedded with several valuable functions.
However, you might not get the desired results by only using keywords in the interface. Day and time are two attributes of emails considered necessary if they are produced as evidence related to an instance.
Also, email messages can be forged like physical documents, and hackers may tamper with these attributes. Moreover, since an email doesn’t directly reach the receiver to the sender, recording its actual way with accurate timings is a challenging aspect.
MD5 and SHA1 Hash Values
MD5 and SHA1 would be the two most crucial hashing algorithms utilized by digital forensics professionals since it’s standard practice to make use of MD5 and SHA1 hashing algorithms in email forensics brought on. These algorithms enable forensic investigators to aid digital evidence as soon as they acquire this until it finally is created in a courtroom of law.
One more reason why hash values are crucial is usually that electronic documents are shared with legal professionals and various other parties in the analysis. Therefore, making certain every person has identical replicates of the data files is vital.
Consider how many places an email may well be saved. This could be preserved on the sender’s equipment, around the recipient’s machine, on either the sender’s or recipient’s email server, or both, and in backup media with regard to either server. In the event that you consider the many places the email could stay, that should indicate to you that that is rare for an email is usually ever truly deleted.
It may always be quite difficult to get, yet it probably is out there somewhere. This is definitely one of the reasons for this why email forensics is so important.
One will need to sign into the e-mail support in order to be able to analyze emails. Google mail and similar services do not provide any kind of mechanism to access a message if that has been wiped from the trash folder.
In that circumstance, it’s likely not possible to be covered.
In some cases, some sort of subpoena can be issued to the service agency, and it
may well search backups intended for the missing electronic mail
Js code tracking
To better locate or identify a suspect email address, it’s important to attract the suspect to open a trackable email. Across cases like kidnapping and murder, it’s commonly used to identify criminals.
By inserting a specific J.S code along HTTP: “img sr” tag on an image within the body of your email, it’s going to be able to record at least the IP address after the suspect clicks the image, especially when the location of a suspect or cybercriminal is unknown.
Traced information identify
When acquiring tracking information, it’s no doubt to identify the information in hand to look for some clues that will benefit your forensic investigation in a way.
Below is the manual method for IP address identification where you could figure out detailed information about the IP’s owner.