The Importance of Email

Email

It is estimated that about 347.3 billion emails are sent daily, and each person, on average, sends 121 emails daily. These are just some of the interesting facts from Venngage about email. This is why we all experience so many email scams and fraud attempts using email. This is also why forensic investigators need to understand how to examine and interpret the content of email messages.

Phishing emails are often in HTML, which allows the scammer to create hyperlinks. Spoofing emails can be used to impersonate a coworker or boss to get the target to complete a task.

Client/Server

Email is a client-server architecture. Your email client could be Mozilla Thunderbird, which you use to read, receive, and send your email. You configured this to connect to an IMAP or POP3 server that downloads and displays your email for you. You also configured this to connect to an SMTP server to send your email.

So, how does this work? This is a very high-level overview of how it works.

When you create an email, your email client (the client-side application) sends it to the email server. The client is responsible for creating, sending, receiving, and displaying email (as previously mentioned).
The email server (the server-side component) receives emails from the client. It then stores incoming emails, manages accounts, and routes email messages to their final destination. The email server can also handle tasks like spam filtering and virus scanning.

Naming Conventions for email

Corporate and business email accounts use a standard format, which can be beneficial for tracing emails. However, public email accounts do not have a naming convention and are trickier to trace.

Corporate/Business format: first.lastname@somecompany.com

Public: whatever@publicsemail.org

Everything after the @ belongs to the domain name. This is important information to be aware of as it can help in the investigation.

Email crimes & Violations

The overall process that will be taken will be similar to other types of investigations. The goals when investigating email crimes are:

Find who is behind the crime
Collect the evidence
Present findings
Build a case

Examing email Messages

The first step will be gaining access to the victim's computer, as you will want to recover any email and additional evidence to help the case. This will be done using the victim's email client. You will want to find and copy the email as evidence and for examination. You will also want to print the emails to maintain a hard copy. I suggest forwarding the email as an attachment to another email address you can access later. Also, make sure that you get the email headers!

Remember that the victim might get nervous and delete the email, so you might have to look in the trash folder or recover it using another means.

With many GUI email clients, you can copy an email message simply by dragging and dropping it to another storage medium. This makes it very easy to make a copy of it.

viewing Email Headers

After you open an email header, I suggest copy and pasting them into a text document. This allows you to easily read and view the headers to understand what they are telling you. Email headers contain a lot of useful information - Unique identifying numbers, IP Address of sending server and a timestamp. In the video, I provide a quick demo of how to view email headers using several common clients.

Additional Email Files

Be on the lookout for other files associated with emails. Email can often be saved on the client side; for example, Microsoft Outlook uses .pst and .ost file extensions for saved emails. Also, try to find and recover the electronic address book. Depending on the examination, this might come in handy later.

If the victim uses a web-based email client, recall that email messages are displayed on a web page and might be found in the browser's cache folder. Also, web-based emails offer messaging services, so I would try to determine if the victim took advantage of this service.

Tracing an email

The first step would be locating the domain's contact information using the email headers and domain information. There are various tools that we can use to do this (dig, nslookup, whois), but you can also use:

Using one of those sites, I would input the domain name and see what is returned. Depending on what is discovered and the domain name, you might wish to contact the point of contact. However, depending on the country or physical location of the server, contacting the point of contact might not always be the best option.

Remember that the email message had to traverse the victim's network to be received by the SMTP server. Logfile analysis should also be performed to gain an understanding of how the email was received.

Spoofed emails

To better understand emails and their headers, it is possible to send a spoof email. This is not very easy these days, as many SMTP servers are correctly configured and do not have an open relay. An open relay is an SMTP server that is not configured correctly and accepts unauthorized emails to be sent. Spammers like to use open relays to send emails. Composing and using an open relay SMTP server is not always easy. You must use telnet to interact directly with the SMTP server. Microsoft provides a great tutorial on using Telnet to test SMTP communication on Exchange Servers. Please read the article, as it will show you the process needed.

Google Sites

Report abuse