CBS223 Digital Forensics and Analysis

WEEK 5

EMAIL FORENSICS

1.1. Email Forensics: An Overview

Email forensics is a specialized field of digital forensics focused on the

investigation and analysis of email communications. This discipline involves the
recovery, examination, and interpretation of email data to uncover evidence
related to crimes, security breaches, corporate investigations, and other legal
matters. Given the prevalence of email in both personal and professional
contexts, email forensics plays a crucial role in modern investigations.

1.2. Key Concepts in Email Forensics

1. Email Structure:

Headers: Email headers contain metadata that provides crucial information

about the origin, routing, and delivery of an email. Important fields include:

a. From: The sender's email address.

b. To: The recipient's email address(es).

c. Date: The date and time when the email was sent.

d. Subject: The subject line of the email.

e. MessageID: A unique identifier for the email, often used to track or

reference specific messages.

f. Received: A record of the email's journey through various servers

before reaching its final destination.

g. ReturnPath: The address that should receive bounces or errors if the

email cannot be delivered.

Body: The content of the email, which can include text, images, and attachments.
The body may also contain HTML code, links, and embedded objects.

Attachments: Files included with the email, such as documents, images, or

executable files. Attachments can be a vector for malware or can contain
important evidence.
Prepared By Muhammad Ubale Kiru 1
CBS223 Digital Forensics and Analysis

1.3. Email Protocols

An email protocol is a standard that is used to allow two computer hosts to

exchange email communication. When an email is sent, it travels from the
sender's host to an email server.

The email server can forward the email through a series of relays until it arrives
at an email server close to the recipient's host. The recipient will receive a
notification stating that an email is available; the recipient will then reach out to
the email server to get the email. Users typically use an email client to access
emails. An email client can use different protocols to access the email.

1. SMTP

Simple Mail Transfer Protocol (SMTP) is the protocol for email transmission. It is
an internet standard based on RFC 821 but was later updated to RFC 3207, RFC
5321/5322. Mail servers use SMTP to send and receive email messages from all
points of the internet. Typically, you will find an SMTP server utilizing
Transmission Control Protocol (TCP) port 25 on the network. The path from the
sender to the recipient is outlined in the following diagram:

2. POP3

Post Office Protocol (POP3) is the standardized protocol that allows users to
access their inbox and download emails. POP3 is specifically designed only to
Prepared By Muhammad Ubale Kiru 2
CBS223 Digital Forensics and Analysis

receive emails; the system does not allow users to send emails. This protocol
allows the user to be offline when drafting, reading, or replying and, at the user's
request, can access the online mailbox at the predetermined times.

Be aware that the email you are conducting your digital forensic examination on
may be the only copy. The user has the option to not leave a copy of the email on
the server. Once the email has been downloaded, the system can remove it from
the server to reduce storage use. You will find POP utilizing port 110 on the
network.

3. IMAP

IMAP is the Internet Message Access Protocol and is a standard protocol used by
an email client to access emails on an email server. The protocol was designed
with the goal of complete inbox management with multiple clients. In most cases,
email messages will be left on the server until the user deletes them. IMAP is a
newer protocol than POP, but both are still prevailing email standards in use
today. The most significant difference between IMAP and POP is that POP
retrieves the contents of the mailbox and IMAP was designed as a remote access
mailbox protocol.

1.4. Decoding and Analyzing Email

An email has many globally unique identifiers for a digital forensic investigator
to identify and to track down. The mailbox and domain name, along with the
message ID, will allow a digital forensic investigator to serve judicially approved
subpoenas/search warrants on the vendor to follow any investigative leads.

1. Email Message Format

The vast majority of email users are only familiar with basic email information,
such as this:
Prepared By Muhammad Ubale Kiru 3
CBS223 Digital Forensics and Analysis

We are back to dealing with our friend Jean, and from looking at the email, we
can see several fields commonly associated with an email.

Here, we know the subject, background checks, the date and time when the email
was sent, the sender, and the recipient. We also have the content of the email, as
shown here:

All the information being shown is user created. The user has created the
information in the to and from, as well as the subject and the content of the
email. The system bases the date and time off of the system time, which can be
set by the user.

Underneath the typical email information, there is another layer of information

that is particularly useful when you are conducting your investigations. This is
referred to as the email header, and it contains information about the source,
transmission, and destination of a specific email. Most email clients would
require an additional command to view the email header. For example, Gmail
requires you to click Show original to see the email header. The following is the
email header for the email Jean received from Alison:

Prepared By Muhammad Ubale Kiru 4

CBS223 Digital Forensics and Analysis

The Message-Id field is a unique identification for every email that has been
sent. When a user sends an email, it will receive its message ID at the first email
server it touches. The design of a message ID is that it will be globally unique,
which means there should not be another email with the same message ID. If
you find different emails that contain the same message ID, you are dealing with
one of two scenarios:

 The email server is not compliant with the standard.

 A user has altered the email.

Continuing from the bottom to the top, we can see the first Received line.

This email transverses three different email servers. As the email crosses a
server on its journey to its destination, each email server will attach a Received
line on top of the preceding Received line.

This is the first server the email touched; we have the domain name,
dreamhostps.com, along with a user ID.

Prepared By Muhammad Ubale Kiru 5

CBS223 Digital Forensics and Analysis

The next logical step would be to subpoena the ISP and try to identify the
subscriber with user ID 558838.

The term Postfix identifies the email server. Postfix is a free, open source mail
transfer agent and could be a commercial email server or an email server
maintained by a potential bad actor.

The next two Received lines identify the subsequent servers on the path to the
destination

There are optional fields that you may come across in your investigations. These
fields typically start with an X–, as shown here:

These fields are not part of the email protocol standard. They can contain
information about a virus scan, spam scans, or information about the server.

As you can see, it provides information about contact information regarding

abuse, such as, spam.

You may also see an optional field called X–Originating–IP that may contain the
IP address of the sender when the message was sent.

An email provider can strip that information and replace it with a server address,
which is what happens when a message is sent from Gmail.

A note about IP addresses.

There are two different types of IPv4 addresses: public and private.

Prepared By Muhammad Ubale Kiru 6

CBS223 Digital Forensics and Analysis

You may see both in the email header. If you see a private IP address, you cannot
identify the provider (unless you are investigating within the organization).

1.5. Common Tools Used in Email Forensics

1. X1 Social Discovery:

- Purpose: Collects, indexes, and searches emails and social media content for
forensic analysis.

- Usage: Used to gather and analyze email data from various sources, including
cloud-based accounts and social media platforms.

2. FTK (Forensic Toolkit):

- Purpose: A forensic suite for analyzing digital evidence, including emails.

- Usage: FTK offers powerful email analysis capabilities, including searching,

filtering, and reporting.

3. Paraben Email Examiner:

- Purpose: A specialized tool for the forensic analysis of email data.

- Usage: Provides detailed analysis of email files from various formats and
supports metadata extraction, keyword searching, and reporting.

1.6. Challenges in Email Forensics

1. Encryption and Password Protection:

- Encrypted emails or password-protected email archives can be difficult to

access without the correct decryption keys or passwords.

2. Spoofing and Phishing:

Prepared By Muhammad Ubale Kiru 7

CBS223 Digital Forensics and Analysis

- Sophisticated email spoofing and phishing techniques can make it challenging

to trace the true origin of an email or determine its authenticity.

3. Volume of Data:

- The sheer volume of email data in corporate environments can make the
collection and analysis process time-consuming and resource-intensive.

4. Legal and Privacy Considerations:

- Email forensics must be conducted within the bounds of the law, ensuring that
privacy rights are respected and that evidence is collected in a legally admissible
manner.

Prepared By Muhammad Ubale Kiru 8