Email Forensics

Email Forensics


Many cibercrimes have involved the use of emails, either as the means or the evidence of the crime. Emails could contain evidence of many types of crimes such as:

  • Domestic violence
  • Cyber-harassment
  • Extortion
  • Embezzlement
  • Fraud
  • Identity theft
  • Child exploitation and abuse
  • Terrorism
  • Drug dealing
  • Gambling
  • Intellectual property theft
  • Organized crime


Basics of Email:

There are two types of email systems:

  • Client/Server Email: The client sends or receives the emails. The server stores the messages until the user retrieves them. In this system, the emails are downloaded onto the user’s computer.
  • Web-based Email: The email account has to be accessed through a Web browser. The emails are stored in the email service provider’s server.

Email systems use a variety of protocols:

  • SMTP (Simple Mail Transfer Protocol): It is part of the TCP/IP, which is the primary protocol for sending messages through the Internet. SMTP is responsible for sending emails over either a network or the Internet.


  • POP3 (Post Office Protocol 3): POP3 is used to read the email. It stores the emails in a single folder until the user downloads them. After an email has been downloaded, it is deleted from the server by POP3. However, a user could choose to keep the emails on the server after downloading for a period of time. This means the investigators should not ignore this server even if the user already downloaded the email.


  • IMAP (Internet Message Access Protocol): IMAP is used to read to retrieve and read emails, like POP3. Unlike POP3, IMAP gives the user the option to store emails on various folders on the server. POP3 is still more widely used than IMAP.


An email is made up of a domain name and a username. The domain name is everything after the @ symbol, while the username is everything before it. For example, in the email, “example” is the username while “” is the domain name.


Parts of an Email:

An email contains a body and a header. The body is the actual content of the message. The header is either in the condensed version or the full version. The type of header field used will determine the data the investigator can retrieve.

Condensed Header:

  • From: This field contains the sender’s email address, which could be faked. It could also contain the sender’s name, which could also be faked. The reason they could both be faked is because SMTP does not verify email headers.


  • To: This contains the receiver’s address, and possibly their name. Once again this could have been spoofed.


  • Subject: This field could be blank. It could also contain misleading information.


  • Date: This includes the date, day of the week, time, and time zone. This field is recorded by the sender’s computer’s clock. However, it is not accurate if the sender’s clock is not set correctly.


Full Header:

  • X-Originating-IP: This field reveals the sender’s IP address. An IP address can either be static or dynamic. A static IP address is a permanent address for a specific computer. A dynamic IP address is used by a computer for a period of time. When the time is up, the IP address is placed back into a pool of available iP addresses, where any computer could end up taking it.


  • Received: This field is in the format “from [IP address] by [server name] with [Internet protocol], day of the week (first three letters), date [format: day month (first three letters) year], at [time (format is hour:minute:seconds)] time zone”. Some email systems do not include the IP address of the sender. Also, emails can contain more than one Received field if the email goes through several servers. This is because a server is responsible for creating this field. Multiple Received fields can reveal whether or not the sender’s IP address is faked. The investigator just has to check if the location next to the word “by” is the same as the location next to the word “from” in the Received field below it. If they do not match, then the sender’s IP address has been faked.


  • Return-Path: This is where the email should be returned to if it could not reach its destination. If this does not match the address in the From field, then the sender faked their address.


  • Message ID: This contains the name of the server and a unique string that the server assigned to the message. This string can be used to track the message.


  • Received-SPF: The receiver of an email puts the email through an  SPF query. This query checks if the sending server is allowed to send an email to the receiver’s domain. If the result is “fail” the message is rejected. If the result is “neutral” or “pass” then another spam filter decides if the message should be counted as spam.


  • Authentication-Results: This field makes a recommendation to the user on the validity of the message’s origin and content.


  • Content-Type: This indicates the type of data in the message, such as text, audio, video, or images.


  • X-Mailer: This specifies the email system used to send the message. Examples include Microsoft Outlook and Verizon Webmail.


How to Conduct an Email Investigation:


The first step is obtaining the email. The computer forensics investigator should first make a copy of the digital evidence. The copy should of course include the full header and any attachments. Keep in mind that even if the receiver deletes the email, it can still be possibly found in the sender’s computer. Even if it’s deleted there, it can be found in the backup tape of a network server, or in a computer’s temporary files, or in a computer’s unallocated space.


The email’s body and header should be searched for evidence. The investigator should also check attachments, people who have received copies of the email as secondary recipients, and people to whom the message was forwarded. In the header, the most important information is the IP address. The PING command can be used to check if the IP address is accessible (ie: “ping”).


A query tool known as WHOIS allows a computer forensics investigator to find out the contact and location information of the owner of an IP address. To use WHOIS, the investigator should type the IP address retrieved from the email into this query tool, and the tool then retrieves information about the ISP. A static IP address is easy to trace back to the computer. To trace a dynamic IP address, the investigator should also provide the date and time the criminal used the IP address. Domain names can also be used for a WHOIS search. However, in this case the investigator should know exactly what they are looking for, because many different results could come from this query. [Mar15]


Problems Encountered by Computer Forensics Investigators:


  • Proxy Server: Criminals may use proxy servers to hide or mask their IP addresses. If someone uses a proxy server, that user’s identity is not revealed because the proxy server gives its own identity instead.


  • Tor: It is a communication system that allows people to communicate without losing their privacy.Instead of the message taking a direct route, the data packets on the Tor network take a random pathway through several relays that cover your tracks so no observer at a single point can tell where the data came from or where it is going.


  • Avoidance: With this technique, a user’s actions are displaced to times and places where the surveillance is assumed to be absent. For example, Al-Qaeda used this technique to distribute its propaganda videos. Websites and message boards were used to distribute these videos. Different websites uploaded the videos, then the videos would remove themselves after a period of time, and then they would be uploaded on different websites. This technique made it hard for authorities to track where the videos were being uploaded form.


  • Piggybacking: When there is surveillance, the information that needs to pass through undetected can be attached to a legitimate object. One way this can be accomplished is with steganography where the data could be hidden inside a sound or image file. In this case, only someone with the appropriate software can see the hidden message.


  • Blocking move: This is when the individual either blocks access to the communication or renders parts of it unusable. For example, encryption is considered a blocking move. This is because only the ciphertext is sent over the communication channel, and it is not usable to a third party. The intended recipient should have the decryption key.


  • Pizzini: Small slips of paper, either handwritten or typewritten, that are used for communication in order to avoid the surveillance of telecommunications and electronic communications.


[Mar15] Maras, Marie-Helen: Computer Forensics: Cybercriminals, Laws, and Evidence. Jones & Bartlett Learning, 2015.