Email Forensics – Definition and Guideline


The reason email forensics come into part of the digital forensics investigation is due to the massive and common use of emails among people nowadays.

People’s using email to communicate with their friends, schoolmates, colleagues and a variety of people. Hence, numerous data and information is transmitted across its use and meanwhile some of those are illegal not surprisingly just like what other common communication approach, e.g. mobile phone, has happened as well when it was popularized to certain extend.

In fact, it’s already a severe public concern that a majority of criminals are using email for their crime committed in recent years, especially when it comes to cyber security and digital crime. Not only that, increasingly noncomputer crimes and even civil litigation, has been related to emails.

That’s being said, we do want to unveil the operation theory of email and thus extract email related crimes via email forensics to bring the criminals to justice.

What is Email Forensics?

Email forensics is dedicated to investigating, extracting, and analyzing emails to collect digital evidence as findings in order to crack crimes and certain incidents, in a forensically sound manner.

The process of email forensics, it’s conducted across various aspects of emails, which mainly includes

  • Email messages
  • Email addresses(sender and recipient)
  • IP addresses
  • Date and time
  • User information
  • Attachments
  • Passwords
  • logs (Cloud, server, and local computer)

To deeply and overall investigate the above crucial elements of email, potential clues are going to be obtained to help push the progress of a criminal investigation.

Hence, knowing how to conduct scientific and effective email forensics has come into account.

But before diving deep into practical email forensics, without a full understanding of the operation and theory of emails themselves, the forensic work is likely to be stuck.

How Email Works?

Just like other digital forensics technology, it’s not easy to conduct forensics without understanding the basis of the underlying technologies.
Emails are probably generated from various mediums and approaches and thus different technologies are applied accordingly.

Commonly speaking, a man writes an email on his digital device, maybe a phone or computer, and then sends it to the one he wants to. Though it’s seemingly the man has finished his work, the upon email processing work just starts in order to successfully and correctly be delivered to the recipient.

When an email is sent out, countless servers are actually undertaken the whole information of the email before it can really arrive in the recipient’s inbox, which is said that we have to understand what’s proceeding after we click the “send” button.

Email Programs and Protocols

During the process, there are 3 protocols and 3 email programs tightly related and are vital to be known.

  • Simple Mail Transfer Protocol (SMTP): it is the standard Protocol used to transmit and send emails.
  • Internet Message Access Protocol (IMAP): it is one of the standard protocols used for receiving emails.
  • POP3 (Post Office Protocol 3): it is one of the standard protocols used to receive mail.
  • Mail Transfer Agent (MTA): sends and forwards emails through SMTP. e.g. Sendmail, postfix.
  • Mail User Agent (MUA): mail client used to receive emails, which uses IMAP or POP3 protocol to communicate with the server. e.g. Outlook, Apple Mail, Gmail.
  • Mail Delivery Agent (MDA): saves the mails received by MTA to local, cloud disk or designated location, meanwhile it usually scans for spam mails and viruses. e.g. Promail, Dropmail.
  • Mail Receive Agent (MRA): implements IMAP and POP3 protocol, and interacts with MUA. e.g. dovecot

The theory of email running

Email Transfering

Email Architecture

Let’s take an example below for instance to better explain the theory of email running.

  • STEP 1: To start, someone creates an email with a Mail User Agent (MUA), typical MUAs include Gmail, Apple Mail, Mozilla Thunderbird, and Microsoft Outlook Express.
  • STEP 2: Regardless of the MUA used, the mail is created and sent to the user’s mail transfer agent (MTA) – the delivery process uses the SMTP protocol.
  • STEP 3: The MTA then checks the recipient of the message (here we assume it is you), queries the DNS server for the domain name corresponding to the recipient MTA, and sends the message to the recipient MTA – again using the SMTP protocol.

At this moment, the mail has been sent from the remote user’s workstation to his ISP(Internet Server Provider)’s a mail server and forwarded to your domain.

What will happen next?

Considering different network configurations, it is very likely that the mail will be transferred to another MTA during the transmission process, but eventually, an MTA will take over the mail and be responsible for delivery.
Then, the MTA will deliver the mail to a mail delivery agent (MDA).

The main function of the MDA is to save the mail to the local disk. Specific MDAs can also be developed with other functions, such as mail filtering or direct mail delivery to other file locations. Thus, it should be noted that it is MDA that completes the function of storing mail on the server.

  • STEP 4: Now, it’s time for you to check your mail.

Running MUA, you can use the IMAP protocol or POP3 protocol to query the mail server for your mail. The mail server first confirms your identity, then retrieves the mailing list from the mail store and returns the list to the MUA.

Now you can read the message.

Message location of an email

Even if we know the running theory of emails, it’s recommended to be noted that different configuration on the recipient’s email client varies the copies of the message to be saved.

Additionally, any server that sends a message from a party to a recipient can keep a copy of the email.

With the above root principle, it’s going to equip your initial ideas before conducting your email investigation.

How to Conduct Email Forensics Investigation?

With the increasing popularity of the use of email based on the boom of the internet, some typical crimes are tied to email. For instance, financial crime, cyber security, and extortion software, to name a few.

To bring email criminals to justice, it’s crucial to look into email investigation in cyber security.

Before we can dive into the major investigative extraction working directions of email forensics, be noted:

  1. Local Computer-based emails: For local computer-based email data files, such as Outlook .pst or .ost files, it’s recommended to follow our following techniques directly.
  2. (Cloud)Server-based emails: For (Cloud)Server based email data files, it’s not possible to conduct complete forensic work until you obtain the electronic copies in the (Cloud)server database under the consent of the service providers.
  3. Web-based emails: For Web-based e-mail (e.g. Gmail,) investigations, it’s more likely possible to just filter specific keywords to extract email address-related information instead of the overall email data and information compared to local computer-based emails.

Viewing and Analyzing E-mail Headers

The primary evidence in email investigations is the email header where massive and valuable information could be found.

When carrying out the analysis, you’d be advised to get started from the bottom to the top, since the most crucial information from the sender would be on the bottom while information about the receiver would be on the topmost.

Since we already talked about MTAs where you could find out the route of the email transferred, it should be good for you to give it a detailed scan of the email header.

Here’s a sample for your information:

Email Header

If you’re still not familiar with the fields, check the below explanations:

  • From: Address of the actual sender acting on behalf of the author listed in the From field
  • To: The email address and, optionally, the name of the message’s primary recipient(s)
  • Cc: Carbon copy; a copy is sent to secondary recipients
  • Bcc: Blind carbon copy; a copy is sent to addresses added to
  • Subject: A brief summary of the topic of the message
  • Date: A brief summary of the topic of the message
  • (In)Reply-To: The message-ID of the message that this is a reply to; used to link related messages together
  • Message-ID: An automatically generated field
  • Content-Type: Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type
  • Precedence: —Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list
  • Received: Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first)
  • References: Message-ID of the message to which this is a reply

The main piece of information you’re looking for is the originating e-mail’s domain address or IP address. Other than that, helpful information includes the date and time the message was sent, filenames of any attachments, and unique message number, if it’s supplied.

Give all of them a complete analysis before you move to the next step.

Email Server Investigation

To locate the source of an email, it’s required to investigate the email’s servers. Since it’s not surprising criminals tend to delete their emails in case of being caught or accused of sensitive emails.

However, there is still a chance to get them back.

In extreme cases, even though both emails have been deleted from both sides between senders and recipients, a copy might be still on the server, since there is always retention on the server after the email is successfully delivered each time due to specific government regulations for email.

Whereas, you don’t want to miss out on investigating the log before it is archived after a certain period.

For your better work implementation, take below most popular email server software under consideration:

  • Exchange Server (.edb)
  • Exchange Public Folders (pub.edb)
  • Exchange Private Folders (priv.edb)
  • Streaming Data (priv.stm)
  • Lotus Notes (.nsf)
  • GroupWise (.db)
  • GroupWise Post Office Database (wphost.db)
  • GroupWise User Databases (userxxx.db)
  • Linux Email Server Logs/var/log/mail.*

Network Devices

If there is no log from the email server due to various reasons, for instance, incorrect configuration on the email server, another approach is worth trying, which is the network service.

In certain cases, an internet service provider (ISP) or any other communications network stores an email. Therefore, investigators are recommended to examine the network devices such as routers and there might be chances for some clue of the source of an email.

Software embedded identifiers

When looking deep enough at the email software, a higher level analysis of the extra information on it comes into account.

Actually, information about the sender and attached files could be found sometimes in an email when you technically examine it, since in most cases, the senders tend to customize their header under Multipurpose Internet Mail Extensions (MIME) with a Transport Neutral Encapsulation Format(TNEF).

Attachment Analysis

As is known to us all, sometimes, our computer gets infected when we surf the Internet and open specific files. To cause the issue, viruses and malware are most skeptical.

When it comes to emails, it’s also very common for a problematical attachment to be found and thus it’s really worth investigating the attached files.

However, if the files happened to be deleted, you’re suggested to consult with a digital forensic agency or use email forensics tools like DRS to recover files so that you could better examine every piece of them.

After the attachment’s retrieval, you’d better analyze those suspicious files under a sandbox environment in case the file is malware and do harm to your computer.

Bulk Email Forensics

Significant mailbox collections tend to be examined, analyzed, and used as proof in legal instances. Therefore, legal experts have to work with large mailboxes in many circumstances. Most email service applications, like Perspective and Gmail, give a dashboard embedded with several valuable functions.

However, you might not get the desired results by only using keywords in the interface. Day and time are two attributes of emails considered necessary if they are produced as evidence related to an instance.

Also, email messages can be forged like physical documents, and hackers may tamper with these attributes. Moreover, since an email doesn’t directly reach the receiver to the sender, recording its actual way with accurate timings is a challenging aspect.

MD5 and SHA1 Hash Values

MD5 and SHA1 would be the two most crucial hashing algorithms utilized by digital forensics professionals since it’s standard practice to make use of MD5 and SHA1 hashing algorithms in email forensics brought on. These algorithms enable forensic investigators to aid digital evidence as soon as they acquire this until it finally is created in a courtroom of law.

One more reason why hash values are crucial is usually that electronic documents are shared with legal professionals and various other parties in the analysis. Therefore, making certain every person has identical replicates of the data files is vital.

Consider how many places an email may well be saved. This could be preserved on the sender’s equipment, around the recipient’s machine, on either the sender’s or recipient’s email server, or both, and in backup media with regard to either server. In the event that you consider the many places the email could stay, that should indicate to you that that is rare for an email is usually ever truly deleted.

It may always be quite difficult to get, yet it probably is out there somewhere. This is definitely one of the reasons for this why email forensics is so important.

One will need to sign into the e-mail support in order to be able to analyze emails. Google mail and similar services do not provide any kind of mechanism to access a message if that has been wiped from the trash folder.

In that circumstance, it’s likely not possible to be covered.

In some cases, some sort of subpoena can be issued to the service agency, and it
may well search backups intended for the missing electronic mail

Email Tracking in Cyber Security

  • Js code tracking

To better locate or identify a suspect email address, it’s important to attract the suspect to open a trackable email. Across cases like kidnapping and murder, it’s commonly used to identify criminals.

By inserting a specific J.S code along HTTP: “img sr” tag on an image within the body of your email, it’s going to be able to record at least the IP address after the suspect clicks the image, especially when the location of a suspect or cybercriminal is unknown.

  • Traced information identify

When acquiring tracking information, it’s no doubt to identify the information in hand to look for some clues that will benefit your forensic investigation in a way.

Below is the manual method for IP address identification where you could figure out detailed information about the IP’s owner.


Smart Email Forensic Investigation Suggestions

Whenever there are suspects coming to you, you’re bound to be monitoring their activities. As an example, administrators might obtain security checks by collaborating with an employee who definitely seems to be disgruntled or that has access to sensitive information.

This employee’s email logs and network use may, for example, show the puppy sending innocent family images to a Hotmail account, but no traffic heading back from that Hotmail account. These kinds of seemingly innocent pics might carry steganographically hidden messages, and so provide proof of the employee’s part in corporate espionage.

Forensic email doing a trace is similar to traditional gumshoe investigator work, which involves looking at each point through which an email passed.

An individual works comprehensively back to the beginning computer and, eventually, the perpetrator.

Correctly manage the email forensic evidence

Digital evidence in the form of email data can be crucial in civil and criminal cases. However, be sure it is extracted in the correct manner using email forensics.

  • The email data is extracted in full and there is no question whether all data has been recovered
  • The validity of the data can be relied upon in both civil and criminal courts as admissible evidence
  • Ensures that no changes are made to the email metadata
  • It is compliant with the ACPO guidelines and the quality standards set out within the ISO17025 documentation and Forensic Science Regulator’s Codes of Good Practice and Conduct.
  • Any deleted emails and files are recovered where possible

Final Thought

Email forensics refers to analyzing the source and content of emails as evidence, though the actual investigation of email-related crimes and incidents involves various approaches.

They do so in a forensically sound manner to correctly examine header data of all messages of interest to the investigation, scientifically decode any available extracted information after your tracked suspects return what benefits your case, and correctly finalize your email forensic investigation.