Part 2 / 6

Email Forensics

🕑 90-120 minutes 📖 Intermediate Level 📋 Module 3

Introduction

Email is one of the most common mediums used in cyber crimes - from phishing attacks to business email compromise (BEC) to harassment. As a cyber crime investigator, understanding how to analyze emails is extremely important. In this section, you will learn about email structure, header analysis, spoofing detection, and phishing investigation.

📚 Learning Objectives

After this part, you will be able to analyze email headers, identify spoofed emails, detect phishing attacks, and perform mailbox analysis for evidence collection.

Email Structure

Every email has two main parts - Header and Body. The header contains important metadata about the email which is crucial for investigation.

Components of an Email

📝

Email Header

Contains routing information, sender/receiver details, timestamps, and authentication results. Invisible to normal users but crucial for investigation.

📄

Email Body

The actual message content that the user sees. Can contain text, HTML, images, and links.

📎

Attachments

Files attached to the email. Often used to deliver malware or steal information.

🔗

MIME

Multipurpose Internet Mail Extensions - defines the format for attachments and non-ASCII text in emails.

Email Header Analysis

Email header analysis is the most important technique for email forensics. Headers contain all the routing information and authentication details of an email.

Important Header Fields

From: The sender's email address displayed to the recipient. Can be easily spoofed.
To: The recipient's email address.
Subject: The subject line of the email.
Date: Date and time when the email was sent.
Received: Most important field - shows the path the email took. Multiple entries, read from bottom to top.
Message-ID: Unique identifier for the email, assigned by the originating mail server.
X-Originating-IP: The IP address from where the email was originally sent.
Return-Path: Address where bounce messages are sent. Should match the From address.

Sample Email Header

Received: from mail.example.com (mail.example.com [93.184.216.34]) by mx.google.com with ESMTPS id abc123 for <victim@gmail.com> (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256); Mon, 15 Jan 2024 10:30:45 -0800 (PST) Received: from [192.168.1.100] (unknown [103.45.67.89]) by mail.example.com (Postfix) with ESMTP id def456 for <victim@gmail.com>; Mon, 15 Jan 2024 10:30:40 -0800 (PST) From: "Bank Security" <security@bank.com> To: victim@gmail.com Subject: Urgent: Verify Your Account Date: Mon, 15 Jan 2024 10:30:35 -0800 Message-ID: <abc123@mail.example.com> X-Originating-IP: 103.45.67.89 Return-Path: <attacker@example.com>
Important for Investigation

Notice in the above header that the From address is "security@bank.com" but the Return-Path is "attacker@example.com". This mismatch is a clear sign of email spoofing. The X-Originating-IP (103.45.67.89) provides the actual IP address of the sender.

Reading Received Headers

Received headers are read from bottom to top - the bottom-most is the first server that handled the email:

  1. Bottom entry: Original sender's server/IP
  2. Middle entries: Intermediate mail servers
  3. Top entry: Recipient's mail server

Spoofing Detection

Email spoofing is the technique of forging the sender's address to make an email appear legitimate. Understanding email authentication mechanisms helps detect spoofed emails.

Email Authentication Mechanisms

1. SPF (Sender Policy Framework)

SPF is a DNS TXT record that specifies which mail servers are authorized to send email for a domain.

v=spf1 include:_spf.google.com ~all SPF Results: - Pass: Authorized server - Fail: Unauthorized server (spoofed) - SoftFail: Likely spoofed - Neutral: No policy defined

2. DKIM (DomainKeys Identified Mail)

DKIM adds a digital signature to emails that verifies the message hasn't been tampered with.

DKIM-Signature: v=1; a=rsa-sha256; d=example.com; s=selector; h=from:to:subject:date; b=ABC123...signature... DKIM Results: - Pass: Signature valid - Fail: Signature invalid (tampered or spoofed)

3. DMARC (Domain-based Message Authentication)

DMARC builds on SPF and DKIM to provide instructions on how to handle failed authentication.

v=DMARC1; p=reject; rua=mailto:dmarc@example.com DMARC Policies: - none: Monitor only - quarantine: Send to spam - reject: Block the email

Signs of Spoofed Email

IndicatorWhat to Check
From vs Return-Path MismatchDifferent domains indicate spoofing
SPF FailEmail sent from unauthorized server
DKIM FailSignature verification failed
Suspicious X-Originating-IPIP from unexpected location
Inconsistent Received HeadersGaps or inconsistencies in email path
Display Name Deception"John Doe" <attacker@malicious.com>

Phishing Investigation

Phishing is a social engineering attack where attackers send fraudulent emails to steal credentials, financial information, or install malware.

Types of Phishing

🎣

Mass Phishing

Generic emails sent to thousands of people without personalization. Often impersonate banks or popular services.

🎯

Spear Phishing

Targeted emails for specific individuals or organizations with personalized content.

🐳

Whaling

Targeting high-profile individuals like CEOs, CFOs. Often involves business decisions or financial transfers.

💰

BEC (Business Email Compromise)

Impersonating executives or vendors to fraudulently transfer funds or data.

Phishing Analysis Checklist

  • Sender Analysis: Check actual email address, not just display name
  • URL Analysis: Hover over links to see actual destination; check for typosquatting
  • Attachment Analysis: Check file extensions, scan for malware
  • Content Analysis: Look for urgency, grammar errors, generic greetings
  • Header Analysis: Verify SPF, DKIM, DMARC results
  • Domain Analysis: Check domain age, WHOIS information
💡 URL Obfuscation Techniques

Attackers use various techniques to hide malicious URLs:
- Typosquatting: faceb00k.com, amaz0n.com
- Subdomain abuse: paypal.malicious.com
- URL shorteners: bit.ly/xyz123
- Unicode characters: pŠ°ypal.com (using Cyrillic 'a')
- IP-based URLs: http://192.168.1.100/login

Mailbox Analysis

During investigation, you may need to analyze entire mailboxes to find evidence. Different email clients store emails in different formats.

Email Storage Formats

FormatExtensionUsed By
PST.pstMicrosoft Outlook
OST.ostOutlook Offline Storage
MBOX.mboxThunderbird, Apple Mail
EML.emlIndividual email files
MSG.msgSingle Outlook messages
DBX.dbxOutlook Express

Forensic Tools for Email Analysis

  • Aid4Mail: Comprehensive email forensics tool
  • MailXaminer: Email analysis and recovery
  • Kernel Email Suite: Mailbox conversion and recovery
  • MXToolbox: Online email header analysis
  • Email Header Analyzer: Google Admin Toolbox
  • PhishTool: Phishing email analysis

Evidence to Collect from Mailboxes

  • Complete email with headers
  • Timestamps (sent, received, read)
  • Attachments (with metadata)
  • Deleted emails (if recoverable)
  • Email rules and filters
  • Contact lists and address books
  • Calendar entries (if relevant)
Legal Requirements

Always obtain proper legal authorization before accessing someone's mailbox. In India, Section 91 CrPC (now BNSS Section 94) can be used to request email data from service providers. For accessing an accused's email, Section 92 CrPC (BNSS Section 95) applies.

📚 Key Points
  • Email headers contain crucial information for investigation - always analyze them thoroughly
  • The "Received" header shows the email's path and should be read from bottom to top
  • SPF, DKIM, and DMARC are authentication mechanisms that help detect spoofed emails
  • From vs Return-Path mismatch is a strong indicator of email spoofing
  • Phishing investigation includes analyzing sender, URLs, attachments, and content
  • Different email clients use different storage formats (PST, MBOX, EML, etc.)
  • Always obtain proper legal authorization before accessing mailboxes
Previous: Network Fundamentals Next: Social Media Investigation