E-MAIL FORENSIC INVESTIGATION TECHNIQUES

E-mail forensics refers to the study of source and content of e-mail as evidence to identify the

actual sender and recipient of a message, data/time of transmission, detailed record of e-mail

transaction, intent of the sender, etc. This study involves investigation of metadata, keyword

searching, port scanning, etc. for authorship attribution and identification of e-mail scams.

Various approaches that are used for e-mail forensic are described and are briefly defined

below:

1.1. Header Analysis

Meta data in the e-mail message in the form of control information i.e. envelope and headers

including headers in the message body contain information about the sender and/or the path

along which the message has traversed. Some of these may be spoofed to conceal the identity of

the sender. A detailed analysis of these headers and their correlation is performed in header

analysis.

1.2. Bait Tactics

In bait tactic investigation an e-mail with http: “<img src>” tag having image source at some

computer monitored by the investigators is send to the sender of e-mail under investigation

containing real (genuine) e-mail address. When the e-mail is opened, a log entry containing the

IP address of the recipient (sender of the e-mail under investigation) is recorded on the http

server hosting the image and thus sender is tracked. However, if the recipient (sender of the e-

mail under investigation) is using a proxy server then IP address of the proxy server is recorded.

The log on proxy server can be used to track the sender of the e-mail under investigation. If the

proxy server’s log is unavailable due to some reason, then investigators may send the tactic e-

mail containing a) Embedded Java Applet that runs on receiver’s computer or b) HTML page

with Active X Object. Both aiming to extract IP address of the receiver’s computer and e-mail it

to the investigators.

1.3. Server Investigation

In this investigation, copies of delivered e-mails and server logs are investigated to identify

source of an e-mail message. E-mails purged from the clients (senders or receivers) whose

recovery is impossible may be requested from servers (Proxy or ISP) as most of them store a

copy of all e-mails after their deliveries. Further, logs maintained by servers can be studied to

trace the address of the computer responsible for making the e-mail transaction. However,

servers store the copies of e-mail and server logs only for some limited periods and some may

not co-operate with the investigators. Further, SMTP servers which store data like credit card

number and other data pertaining to owner of a mailbox can be used to identify person behind

an e-mail address.

1.4. Network Device Investigation

In this form of e-mail investigation, logs maintained by the network devices such as routers,

firewalls and switches are used to investigate the source of an e-mail message. This form of

investigation is complex and is used only when the logs of servers (Proxy or ISP) are

unavailable due to some reason, e.g. when ISP or proxy does not maintain a log or lack of co-

operation by ISP’s or failure to maintain chain of evidence.

1.5. Software Embedded Identifiers

Some information about the creator of e-mail, attached files or documents may be included with

the message by the e-mail software used by the sender for composing e-mail. This information

may be included in the form of custom headers or in the form of MIME content as a Transport

Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal

some vital information about the senders e-mail preferences and options that could help client

side evidence gathering. The investigation can reveal PST file names, Windows logon

username, MAC address, etc. of the client computer used to send e-mail message.

1.6. Sender Mailer Fingerprints

Identification of software handling e-mail at server can be revealed from the Received header

field and identification of software handling e-mail at client can be ascertained by using

different set of headers like “X-Mailer” or equivalent. These headers describe applications and

their versions used at the clients to send e-mail. This information about the client computer of

the sender can be used to help investigators devise an effective plan and thus prove to be very

useful.

2. E-MAIL FORENSIC TOOLS

There are many tools which may assist in the study of source and content of e-mail message so

that an attack or the malicious intent of the intrusions may be investigated. These tools while

providing easy to use browser format, automated reports, and other features, help to identify the

origin and destination of the message, trace the path traversed by the message; identify spam

and phishing networks, etc. This section introduces some of these tools.

2.1. eMailTrackerPro

eMailTrackerPro analyses the headers of an e-mail to detect the IP address of the machine

that sent the message so that the sender can be tracked down. It can trace multiple e-mails at the

same time and easily keep track of them. The geographical location of an IP address is key

information for determining the threat level or validity of an e-mail message. This tool can pin

point the city that the e-mail most likely came from. It identifies the network provider (or ISP)

of the sender and provide contact information for further investigation. The actual path to the

sender's IP address is reported in a routing table, providing additional location information to

help determine the sender's true location. The abuse reporting feature in it can be used to make

further investigation easier. It checks the mail against DNS blacklists such as Spamcop to further

safeguard against spam and malicious emails. It supports Japanese, Russian and Chinese

language spam filters besides English language. A major feature of this tool is abuse reporting

that can create a report that can be sent to the ISP of sender. The ISP can then takes steps to

prosecuting the account holder and help put a stop to spam.

2.2. EmailTracer

EmailTracer is an Indian effort in cyber forensics by the Resource Centre for Cyber

Forensics (RCCF) which is a premier centre for cyber forensics in India. It develops cyber

forensic tools based on the requirements of law enforcement agencies. Among several other

digital forensic tools, it has developed an e-mail tracer tool named EmailTracer. This tool traces

the originating IP address and other details from e-mail header, generates detailed HTML report

of email header analysis, finds the city level details of the sender, plots route traced by the mail

and display the originating geographic location of the e-mail. Besides these, it has keyword

searching facility on e-mail content including attachment for its classification.

2.3. Adcomplain

Adcomplain [10] is a tool for reporting inappropriate commercial e-mail and usenet postings, as

well as chain letters and "make money fast" postings. It automatically analyses the message,

composes an abuse report, and mails the report to the offender's internet service provider by

performing a valid header analysis. The report is displayed for approval prior to mailing to U.S.

Federal Trade Commission. Adcomplain can be invoked from the command line or

automatically from many news and mail readers.

2.4. Aid4Mail Forensic

Aid4Mail Forensic is e-mail investigation software for forensic analysis, e-discovery, and

litigation support. It is an e-mail migration and conversion tool, which supports various mail

formats including Outlook (PST, MSG files), Windows Live Mail, Thunderbird, Eudora, and

mbox. It can search mail by date, header content, and by message body content. Mail folders and

files can be processed even when disconnected (unmounted) from their email client including

those stored on CD, DVD, and USB drives. Aid4Mail Forensic can search PST files and all

supported mail formats, by date range and by keywords in the message body or in the headers.

Special Boolean operations are supported. It is able to process unpurged (deleted) e-mail from

mbox files and can restore unpurged e-mail during exportation.

2.5. AbusePipe

AbusePipe analyses abuse complaint e-mails and determines which of ESP’s customers is

sending spam based on the information in e-mailed complaints. It automatically generates

reports reporting customers violating ESP’s acceptable user policy so that action to shut them

down can be taken immediately. AbusePipe can be configured to automatically reply to people

reporting abuse. It can assist in meeting legal obligations such as reporting on the customers

connected to a given IP address at a given date and time.

2.6. AccessData’s FTK

AccessData’s FTK [13] is standard court-validated digital investigations platform computer

forensics software delivering computer forensic analysis, decryption and password

cracking within an intuitive and customizable interface. It has speed, analytics and enterprise-

class scalability. It is known for its intuitive interface, e-mail analysis, customizable data views

and stability. It supports popular encryption technologies, such as Credant, SafeBoot, Utimaco,

EFS, PGP, Guardian Edge, Sophos Enterprise and S/MIME. Its current supported e-mail types

are: Lotus Notes NSF, Outlook PST/OST, Exchange EDB, Outlook Express DBX, Eudora, EML

(Microsoft Internet Mail, Earthlink, Thunderbird, Quickmail, etc.), Netscape, AOL and RFC

833.

2.7. EnCase Forensic

EnCase Forensic is computer forensic application that provides investigators the ability to

image a drive and preserve it in a forensic manner using the EnCase evidence file format (LEF

or E01), a digital evidence container vetted by courts worldwide. It contains a full suite of

analysis, bookmarking and reporting features. Guidance Software and third party vendors

provide support for expanded capabilities to ensure that forensic examiners have the most

comprehensive set of utilities. Including many other network forensics investigations, it also

supports Internet and e-mail investigation. It included Instant Messenger toolkit for Microsoft

Internet Explorer, Mozilla Firefox, Opera and Apple Safari. The e-mail support includes for

Outlook PSTs/OSTs, Outlook Express DBXs, Microsoft Exchange EDB Parser, Lotus Notes,

AOL, Yahoo, Hotmail, Netscape Mail and MBOX archives.

2.8. FINALeMAIL

FINALeMAIL can recover the e-mail database file and locates lost e-mails that do not have

data location information associated with them. FINALeMAIL has the capability of restoring

lost e-mails to their original state, recover full e-mail database files even when such files are

attacked by viruses or damaged by accidental formatting. It can recover E- mail messages and

attachments emptied from the ‘Deleted Items folder’ in Microsoft Outlook Express, Netscape

Mail, and Eudora.

2.9. Sawmill-GroupWise

Sawmill-GroupWise is a GroupWise Post Office Agent log analyser which can process log

files in GroupWise Post Office Agent format, and generate dynamic statistics from them,

analysing and reporting events. It can parse these logs, import them into a MySQL, Microsoft

SQL Server, or Oracle database (or its own built-in database), aggregate them, and generate

dynamically filtered reports, through a web interface. It supports Window, Linux, FreeBSD,

OpenBSD, Mac OS, Solaris, other UNIX, and several other platforms.

2.10. Forensics Investigation Toolkit (FIT)

Forensics Investigation Toolkit (FIT) is content forensics toolkit to read and analyse the

content of the Internet raw data in Packet CAPture (PCAP) format. FIT provides security

administrative officers, auditors, fraud and forensics investigator as well as lawful enforcement

officers the power to perform content analysis and reconstruction on pre-captured Internet raw

data from wired or wireless networks. All protocols and services analysed and reconstructed are

displayed in readable format to the users. The other uniqueness of the FIT is that the imported

raw data files can be immediately parsed and reconstructed. It supports case management

functions, detailed information including Date-Time, Source IP, Destination IP, Source MAC,

etc., WhoIS and Google Map integration functions. Analysing and reconstruction of various

Internet traffic types which includes e-mail (POP3, SMTP, IMAP), Webmail (Read and Sent),

IM or Chat (MSN, ICQ, Yahoo, QQ, Skype Voice Call Log, UT Chat Room, Gtalk, IRC Chat

Room), File Transfer (FTP, P2P), Telnet, HTTP (Content, Upload/Download, Video Streaming,

Request) and Others (SSL) can be performed using this toolkit.

2.11. Paraben (Network) E-mail Examiner

Paraben (Network) E-mail Examiner has comprehensive analysis features, easy

bookmarking and reporting, advanced Boolean searching, searching within attachments, and full

UNICODE language support. It supports America On-line (AOL), Microsoft Outlook (PST,

OST), Thunderbird, Outlook Express, Eudora, E-mail file (EML), Windows mail databases and

more than 750 MIME Types and related file extensions. It can recover deleted e-mails from

Outlook (PST), Thunderbird, etc. Network E-mail Examiner 

[http://www.paraben.com/network-email-examiner.html], can thoroughly examine Microsoft

Exchange (EDB), Lotus Notes (NSF), and GroupWise e-mail stores. It works with E-mail

Examiner and all output is compatible and can easily be loaded for more complex tasks.

According to Simson L. Garfinkel current forensic tools are designed to help examiners in

finding specific pieces of evidence and are not assisting in investigations. Further, these tools

were created for solving crimes committed against people where the evidence resides on a

computer; they were not created to assist in solving typical crimes committed with computers or

against computers. Current tools must be re-imagined to facilitate investigation and exploration.

This is especially important when the tools are used outside of the law enforcement context for

activities such as cyber-defence and intelligence. Construction of a modular forensic processing

framework for digital forensics that implements the “Visibility, Filter and Report” model would

be the first logical step in this direction