Importance of Email Header Analysis in Digital Forensics Investigation

Mariah | February 15th, 2018 | Forensics

Modern time communication is impossible without emails. In the field of business communication, emails are considered as its integral part. At the same time, emails are also being used by criminals. In digital forensics, emails are considered as evidence and Email Header Analysis has become important to collect evidence during forensics process. Email clients are computer programs that allow users to send and receive emails. Over time, different types of email clients have been invented for the convenience of email users. We will discuss different types of email clients now.

Types of Email Clients and Their Benefits

Broadly, email clients are divided into two types based on email saving location. They are – web-based email clients and desktop-based email clients.

a) Web-based Email Clients: Web-based email clients save all their data to its web server. Some web-based clients are Gmail, Yahoo Mail, Hotmail, etc. The benefit of using web-based email clients is it can be accessed from anywhere in the world, using Username and Password. One of its disadvantages is users do not know where their data is being stored.

b) Desktop-based Email Clients: Desktop-based email clients are opposite of web-based clients. Outlook, Thunderbird, Mail Bird are some examples of desktop-based email clients. All data of desktop-based web browser is stored in the system of its users. Thus, users do not have to worry about data security. The same point can be considered as a disadvantage in some cases. Especially, when it is used in criminal activities, and the evidence cannot be collected from the server.

Emails from Desktop -based Clients as Criminal Evidence

In the current era, modes of crime have changed just like the modes of communication. Everyday criminal minds are seeking new techniques to commit crimes. They are using the latest technology to perpetrate criminal activities. For Example, a criminal has used Outlook ordering someone to commit a criminal offense.

As Outlook is a desktop-based email client, that data will not get stored in web server. It will get stored in the system of that criminal only. As a result, investigators cannot retrieve those emails from a Web server directly. Investigators will have one option left and that the analysis of Email header of emails files recovered from the criminal’s system.

Email Header Analysis Forensics: An Overview

email header analysis

Every email user is familiar with header part of an email. Without the header, emails cannot be sent. In the header part of Outlook email, we will find details related to emails using email header analysis forensics techniques’. Apart from these, time of sending and receiving email is also stored in the email header. It is visible from this brief discussion that email headers contain some significant information regarding emails. Now come to the point of its importance in the field of digital forensics.

Importance of Email Header Analysis In Digital Forensics Investigations

Digital forensics is a relatively new stream of the investigation. Digital forensics came into being with the advancement of digital technology and its increasing usage in everyday life. People use emails to exchange all types of information. Some people also use it to commit the crime and to exchange or store illegal information. Because of these reasons, digital forensic investigators consider email analysis seriously.

Below image of Emails Header displays that various information can be stored in an email file, below a list is given to know how much information stored in Email messages:

  • Basic properties of an email can be seen including sender’s and recipients’ names, time of sending and receiving, subject, etc.
  • If there is an attachment, that information can also be recovered from email analysis.
  • Email files also include MIME View of emails that can help to recover non-text attachments as well as hidden evidence.

email-view

  • Investigators can view recovered emails to know if someone has tried to destroy any evidence.
  • To find out if any changes have been made in any particular email, investigators can use HTML.
  • Investigators can use Rich Text Format (RTF) to view all the rich texts used in emails.
  • Investigators can learn about the detailed path of emails and also IP addresses of all servers.

About Email Examiner

All types of email examination of highest standard including complete email header analysis easily done by standalone application Email header Analyzer. Investigators can know about all elements of email header in detail including ‘Bcc’ (blind carbon copy) with the help of this tool. The program supports more than 20 email formats as well as more than 80 email clients. This program has been proven extremely useful for digital forensic investigators,