Techniques and Tools for Forensic Investigation of Email

Forensic investigation of emails refers to deeply studying the source and content of the emails. The study involves the identification of the actual sender and recipient of the concerned emails, the timestamp of the email transmission, the intention of mail, and the record of the complete email transaction. Investigation of emails proves to be useful in incidents such as email abuse, email phishing, email scams, and such other cases where email usage is defamed. Parts of email investigation include keyword search, metadata investigation, scanning of ports, etc.

Techniques for Email Investigation

The various techniques that are deployed in order to perform an efficacious and seamless email investigation are given below:

1) Email Header Analysis

Header analysis is done to extract the information regarding the sender of the mail and also the path through which the email has been transmitted. Usually, the metadata of emails is stored in the headers. At times, these headers may be tampered to hide the true identity of the sender.

2) Bait Tactics

It is the process of tracking the IP address of the sender of a particular mail under investigation. In this technique, a mail containing a http: “$lt;img src>” tag is sent to the mail address from which the mail has been received. The recipient in this case is the culprit. When the mail is opened, a log containing the IP address of the recipient is captured by the mail server that is hosting the image, and the recipient is tracked. In case the recipient is using a Proxy server, the address of the proxy server gets recorded.

3) Extraction From Server

Server investigation comes in handy when the emails residing on the sender and receiver ends have been purged permanently. Since servers maintain a log of the sent and received emails, the log investigation will generate all the deleted emails. Furthermore, the logs can give the information of the source from which the emails have been generated. Server investigation does not mean that all the purged emails can be extracted. This is because, after a certain retention period, the emails are deleted permanently from a server.

4) Investigation of Network Sources

This investigation is opted for when the server logs fail to generate the required information. Also, if the Internet Service Providers do not give access to the server, investigation of network sources is opted. The logs generated by network hubs, routers, firewalls, etc. give information about the origination of the email message.

Popular Tools Deployed for Email Investigation

There are a number of email investigation tools available, that assist in the complete investigation process. These tools generate automated reports of the investigation, identify the origination and the destination of emails and much more. Some of the tools which are a part of this domain are:

1) EnCase

EnCase enables the investigators to perform imaging of the drive and preserve it in the E01 format, which can be investigated forensically and also can be presented in the court as evidence.

2) FTK

Forensic Toolkit is a comprehensive investigation tool known for the forensic investigation of emails through decryption in emails.

3) MailXaminer

MailXaminer is an advanced email investigation tool that supports more than 20 email formats and around 750 MIME formats. The tool is equipped with great features like:

• Advance search for keywords
• Link analysis of emails
• Skin tone analysis
• Live Exchange Mailbox analysis and many more.

The tool carves out evidence in the most efficacious way and generates a complete evidence report.

Conclusion

Right techniques and tools if used in the forensic investigation of emails carve out potential evidence in a very short duration of time. Therefore to perform an advanced email investigation deployment of the right tool is necessary.