Scribd
Upload
53 views33 pages

Email Forensics: Investigation Guide

Uploaded by

hk5378cbrn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
53 views33 pages

Email Forensics: Investigation Guide

Uploaded by

hk5378cbrn
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 33

E-Mail Forensics

-Vikas Tete (Digital Forensic Expert)


Objectives-

 Introduction to Email
 Components involved in Email Communication
 How Email works
 Understanding the parts of Email Messages
 Types of E-mail Crime
 Email Investigation
Introduction to an Email System

 E-Mail (Electronic Mail)


 Used for sending, receiving, and saving messages over
electronic communication systems.
 It works on a Client-Server architecture
 The mail is sent from the client to a central server, which then
reroutes the mail to its intended destination.
Components of E-mail
Communication & it’s
Working
SMTP Server
• SMTP (Simple Mail Transfer
Protocol) allows a user to
send emails to a valid
email address
• When a user sends an
email, the sender’s host
SMTP server interacts with
the receiver’s host SMTP
server
Mail User Agent
(MUA)
MUA is an application that
enables users read, compose
and send emails from their
email addresses
▪ There are two commonly
used email clients:
▪ Standalone: Microsoft
Outlook, Apple Mail
and Mozilla Thunderbird
▪ Web-based: Gmail,
Yahoo! mail, AOL mail,
etc.
Mail Transfer
Agent (MTA)
• MTA is also known as a
mail server that
accepts the email
messages from the
sender and routes
them to their
destination
• Examples include
Sendmail, Exim and
Postfix
Mail Delivery
Agent (MDA)
• MDA is an application
responsible for receiving an
email message from the
MTA and storing it in the
mailbox of the recipient
• Example includes Dovecot
POP3 Server
• POP3 (Post Office Protocol
version 3) is an Internet
protocol that is used to
retrieve e-mails from a mail
server
• POP3 automatically
downloads the emails to the
user's hard disk and removes
them from the mail server
IMAP Server
• Internet Message Access
Protocol (IMAP) is an internet
protocol designed for
accessing e-mail on a mail
server.
• It keeps e-mails on the server
even after the user has
already downloaded them.
• So E-Mail can be accessed
from multiple devices.
Parts of an E-Mail
Header

Body

Signature
1. Message header

 To specifies to whom the message is addressed


 Cc stands for “carbon copy.
 Bcc stands for “blind carbon copy.”
 From specifies the sender of the message.
 Reply-To specifies an address for sending replies.
 Sender an application that sends out messages.
 Subject is actually a message subject.
 Date specifies the date of creation and sending of the email.
2. Message Body

 It is the main message of the email


 It contains text, images, hyperlinks, and other data (like
attachments).

3. Signature
 It contains additional information attached at the end of the
email message
Types of E-Mail Crime

 Spamming

 Phishing

 Mail Bombing

 Mail Storms

 Identity fraud, Etc.


Steps to Investigate Email Crimes

Seizing the computer and email accounts

Acquiring the email data

Examining email messages


Steps to Investigate Email Crimes

Retrieving email headers

Analyzing email headers

Recovering deleted email messages


Acquiring the email data
Examining Email Messages
Retrieving Email Headers
• Select the received mail for which you
would like to see headers.
• Click on the more drop-down button and
navigate to the Show original option
• Select the message headers text, copy
and paste the text in any text editor, and
save the file
Analyzing Email Headers
Analyzing Email Headers (Cont’d)
Analyzing Email Headers (Cont’d)
Analyzing Email Headers (Cont’d)
Analyzing Email Headers: Checking Email
Authenticity
 After identifying E-Mail Address, check its authenticity

 Use Email Dossier-it initiates SMTP Session, but never actually send Email

 Other tools to check email validity:-

➢Email Address Verifier -


https://tools.verifyemailaddress.io

➢Email Checker - http://email-checker.net

➢G-Lock Software Email Verifier -


http://www.glocksoft.com
Analyzing Email Headers: Examining
the Originating IP Address

 Identify the originating email server's IP address to track down


the attacker

 Following steps are involved:-

➢ Collect the IP address of the sender from the bottommost


entry in the received header field of the email message

➢ Search for the IP in the WHOIS database or


whatismyipaddress website
Investigating a Suspicious Email

1. Examining the Email Message

➢ Message invokes a sense of urgency

➢ Look for any suspicious link/attachment

2. Checking the Link

➢ Run the link on a forensic workstation i.e. in a controlled


environment
Investigating a Suspicious Email
(Cont’d)
3. Analyze the Received Header Entries

➢ Start from bottom received header and then proceed to top.

4. Examine the Originating IP Address

➢ Look for IP address details in the whatismyipaddress website.


Investigating a Suspicious Email
(Cont’d)
5. Examine the Received-SPF Field
➢ Look for SPF validation failure.
➢ Validation failure is a sign that the message might have
been spoofed.

6. Check the Sender's Email Validity


➢ Use Email Dossier

7. Examine the Message ID


Other Info…

 Mutual Legal Assistance Treaties (MLATs)/Agreements in criminal matters


provide a mechanism for seeking assistance from other contracting States
for prevention, investigation and prosecution of crime.
 As on date, the Central Government has entered into bilateral Mutual
Legal Assistance Treaties (MLATs)/Agreements in criminal matters with 40
countries. The text of India’s MLATs/Agreements can be accessed
at: https://cbi.gov.in/MLATs-list
 How to Obtain Info. Related to IP from SPN
Any Que….

Thanks….

You might also like