Collecting And Analyzing Evidence From Email

Tram Ho

Despite the increasing number of information transmission applications over time, E-mail has always held its own. People still use it to communicate, send documents, make transactions and not only be used from computers, but it has been integrated into other electronic devices like mobile phones. Because of its popularity, it is also used by criminals to commit fraud, distribute viruses and communicate with accomplices. Therefore email can also be considered as a clue and even evidence for the body through law enforcement investigations.

This article will give people an overview of the architecture of email from a digital investigation point of view. And list out the methods and tools used to perform the analysis.


In digital investigations, email is considered a valuable piece of evidence, and email headline analysis is extremely important since investigators can gather evidence to strengthen the records. guilty. Email applications are divided into two main categories, depending on their storage location:

  • Web-based Email : will store all data on web server server. Some popular applications like Gmail, Yahoo Mail, Hotmail, etc. The benefit of using a web-based email application is that it can be accessed from anywhere in the world, just by using it. Use username and password to access. One of its disadvantages is that users do not know where their data is being stored.
  • Desktop-based Email : Are email applications installed on desktop computers such as Outlook, Thunderbird, Mail Bird, etc. are examples of desktop-based email applications. All email data will be stored on the user’s personal computer. Therefore users do not have to worry about data security. This can also be considered a disadvantage in some cases, especially when it is used in criminal investigations, the evidence will not be collected from the server.

Components In Email System

Before going into the way an email system works, we need to go through the internal components of that system. Below will be a picture of the ingredients

  • Mail User Agent (BUY) : BUY is a component that interacts directly with the end user. Examples of BUY are Thunderbird, MS Outlook, Zimbra Desktop software … Web mail interfaces like Gmail and Yahoo! Also considered as the BUY. A BUY that works on behalf of the author is called the Author BUY (aMUA) and an activity on the receiver’s behalf is called the MUA Receiver (rMUA).
  • Mail Transfer Agent (MTA) : The MTA is responsible for transferring email from the sender’s mail server to the recipient’s mail server. Examples of MTA are sendmail and postfix.
  • Mail Delivery Agent (MDA) : In a mail server receiving mail, the local MTA accepts an email from the sender’s MTA. The email is then sent to the user’s mailbox by MDA.
  • Send Email : Simple Mail Transfer Protocol (SMTP)
  • Receive Email : Post Office Protocol (POP) / Internet Message Access Protocol (IMAP)
  • POP / IMAP : POP and IMAP protocols are used to fetch email from the mailbox of the recipient server to BUY recipients.
  • Mail Exchanger Record (MX) : MX records serve as a guide for email to your mail server (MX records usually come with an A record that will point to the IP address of the mail server, and a pref parameter is priced value to indicate the priority of the mail server, the smaller the pref value, the higher the priority)

When the sender sends an email, SMTP helps ensure that the email sent from the sender server reaches the recipient server. When the email arrives at the recipient server The MTA of the receiving server will receive the sender’s email and forward it to the local MDA. MDA then writes the email to the recipient’s mailbox. When the recipient uses MUA to check email, BUY will use POP or IMAP to retrieve mail

Operation Sequence Of Email In Actual

Assume that [email protected] is sending an email to [email protected] . The following events will occur sequentially when a user sends an email:

  1. The sender’s BUYER initiates a connection to the mail.exampleA.tst mail server using the SMTP protocol (usually TCP Port 25).
  2. Mail server mail.exampleA.tst receives email and knows that the destination domain to send email to is exampleB.tst . The mail.exampleA.tst server creates a query to the DNS server to ask for the MX record information of domain exampleB.tst . Assume that there is no information about the exampleB.tst domain in the cache of the DNS server.
  3. The DNS server in turn creates a recursive query against the authoritative DNS server and learns in detail the MX records of the exampleB.tst domain. This information will be returned to the mail.exampleA.tst server. Now the mail.exampleA.tst server has the IP address of the destination mail server, it will send email directly to the mail.exampleB.tst mail server via the Internet. SMTP is used to communicate between source and destination mail servers.
  4. Incoming email is received by the local SMTP (MTA) on the mail.exampleB.tst server. After receiving the email, it is delivered to MDA, then sent to the recipient’s mailbox stored on the server. The server has separate mailboxes for each user.
  5. When the recipient checks the email using POP or IMAP, the MUA email is retrieved from the server to the user’s computer. Depending on the MUA configuration, the email may be downloaded in the workstation, the copy may be kept in both the server and the workstation, or the email between the server and the MUA is synchronized, depending on which delivery you choose. POP or IMAP protocol.

In addition, there is a mail gate, which stands in front of the mail server, acting as a firewall with anti-phishing, DLP (data loss prevention) protection, and more advanced mail filtering.

Types of Email Attacks

1. Malware Distribution:

Refers to a major method used by hackers to distribute malware: send it via email. Some of the most common viruses have proliferated through email attachments, with users clicking the wrong button to download malware. Email is still used as a method of distributing malware, nowadays it has moved from attachments to embedded links that take users to a malicious website.

2. Phishing Attack

Phishing is a form of phishing to obtain sensitive information of internet users such as accounts, passwords or credit card numbers, etc. by impersonating a trusted organization in electronic transactions. The counterfeit organizations are usually banks, online payment systems or popular social networks.

The target of the attacker is usually “innocent” users. They are often not conscious of checking the sources they receive. An attacker often uses email or instant messages to send to users with content that requires authentication of information on websites with the accompanying address. These websites are built with the same interface as the real websites and if the user enters information then this information will reach the attacker.

3. Spam Attack:

SPAM are unsolicited emails that are sent in bulk to Internet users’ mailboxes. SPAM is sometimes also considered to be commercial emails without the recipient’s permission (UCE – Unsocilited Commercial E-Mail).

4. Denial of Service Attack:

A denial of service attack occurs when hackers send countless emails to your email application to prevent you from using your email application or damaging your computer completely.

Email Investigation Techniques

1. Header Analysis

The meta data in an email message is in the form of controlled information, that is, the headers in the body of the message contain information about the sender or the path through which the message has passed. One of these can be forged to hide the identity of the sender. A detailed analysis of the email subject may give clues.

2. Bait Tactics

This type of investigation translates into a lure, so the enumerator will somehow send an email with an “<img src>” tag, which will be a link to a tracking server. When the e-mail is opened, a log entry containing the IP address of the recipient (the sender of the e-mail being investigated) is recorded on the host http server and so the sender is monitored. However, if the recipient (the email sender being investigated) is using the proxy server, the IP address of the proxy server will be recorded. The log on the proxy server can be used to track the sender of the e-mail being investigated. If, for some reason, the proxy server log is not available, investigators can send another tactical email containing a) Embedded Java application running on the receiver’s computer or b) HTML page with Active X Object. Both aim to extract the IP address of the computer receiving the computer and send e-mail to investigators.

3. Server Investigation

Technically server investigation, the server will usually save the copy of email sent and received in their logs. From here we can purify out the necessary information. However, since server logs often store email copies for a limited period of time, timing matters. If they do not quickly get the necessary logs, they will be deleted by the server and the second is that the number of new copies will be very much, making it difficult to investigate.

4. Software Embedded Identifiers

Some information about the email creator or the attachment information may be included in the email left behind by the email editing software. This information can be displayed in the header or in the form of MIME content such as Transport Neutral Encapsulation Format (TNEF). Investigating such information may help investigators to gather additional evidence on the client’s side. The investigation may reveal the email file’s PST name, username, MAC address, etc.

Traceability Email With Header

As mentioned above, there are many techniques to investigate email but in this section, I will detail a technique that is traceability of email based on header analysis.

Ways of traceability

You can retrieve your email address by carefully analyzing the full subject of the email. The email header contains routing information and email metadata. This is information that most users often ignore or ignore but they play a very important role in tracing the origin of email.

Most email clients do not display the full standard email headers because they are filled with technical data that is a bit specialized and only make the average user more confused. However, most email applications support full email header checking:

  • To view the full email header in Gmail : Open your Gmail account, then open the email you want to trace. Scroll to the scroll bar in the top right corner, then select the Show original option .

  • View the full email header in Outlook : Double-click the email you want to trace, then go to File and select Properties . Information appears in internet headers (internet headers) .
  • View the full email subject in Apple Mail: Open the email you want to track, then move to View> Message> Raw Source .

There is a lot of information displayed in a full email header, but you only need to pay attention to the following: You read in order from bottom to top, from old information to new information (meaning information oldest will be at the bottom). Let’s take a look at a sample email header from a Gmail account on MakeUseOf:

Components in the header

Here is the meaning of the content displayed in a full Gmail header (read from bottom to top):

  • Reply-To : Email address you sent feedback to.
  • From : Display the sender of the message, this information is easy to be tampered with.
  • Content type : Provide information to your browser or email application on how to interpret the content of the email. The most common character sets are UTF-8 (see in the example) and ISO-8859-1.
  • MIME-Version : Displays the standard format that email is using. MIME-Version is usually “1.0”.
  • Subject : The subject of the email content.
  • To : The intended recipient of the email, may display additional recipient addresses.
  • DKIM-Signature : DomainKeys Identified Mail, validates the domain the email was sent to and helps prevent email fraud and sender fraud.
  • Received : The “Received” line lists each server that email moved before it was delivered to your inbox. You read the “Received” line from the bottom to the top; The bottom line is the email creator.
  • Authentication-Results : Contains records of authentication checks that have been performed; may contain various authentication methods.
  • Received-SPF : The Sender Policy Framework (SPF) constitutes part of the email authentication process to prevent fraudulent sender addresses.
  • Return-Path : The location of undelivered or bounced messages.
  • ARC-Authentication-Results : The Authenticated Receive Chain, is another authentication standard. take.
  • ARC-Message-Signature : The notation records letterhead information for authentication, similar to DKIM.
  • ARC-Seal : Can be considered as a “Seal” for ARC-Message-Signature authentication results, similar to DKIM.
  • X-Received : Different from “Received” in that it is considered non-standard information; means that it may not be a fixed address, such as the transfer agent or the Gmail SMTP server.
  • X-Google-Smtp-Source : Shows emails being transferred using Gmail’s SMTP server.
  • Delivered-To : The final recipient of this email.

The original ip address where email was sent

To retrieve the email address of the email sender, please pay attention to the first “Received” in the full email header. Next to the first “Received” line is the IP address of the server that sent the email. Sometimes this content is displayed as X-Originating-IP or Original-IP.

Find the IP address, then scroll to the MX Toolbox page. Enter this IP address in the dialog box, change the search method to Reverse Lookup , then press enter. The search results will display a lot of information related to the sending email server.

Unless the original IP address is a private IP address, you will receive the following message:

IP domains, 172.16.00-, and are private IP domains. No results will be returned when you look up these IP addresses.

Useful tools for analyzing email headers and retrieving IP addresses

You can use some of the following tools to analyze email headers:

However sometimes the results returned are not always appropriate. In the example below, the sender not near the returned location is Ashburn, Virginia:


Digital survey analysis is a complex and time-consuming process. Because email can contain valuable information that leads investigators to the identity or location of the offender. In this article, we discussed the key issues involved in investigating the header analysis of email. And the last part is an introduction to a simple way to retrieve IP addresses using built-in tools. Thank you for your interest in reading, it is great fun and see you again in the next post.

Share the news now

Source : Viblo