The email investigation process typically involves the following steps:
Gathering evidence: This includes collecting all relevant emails, attachments, and any other related electronic data.
Reviewing the evidence: The collected data is reviewed to identify any relevant information that may help in the investigation.
Analysis: The data is analysed to determine if there is any violation of policies, laws, or ethical standards.
Interviews: Key individuals involved in the matter may be interviewed to gather additional information and clarify any inconsistencies.
Documenting findings: The investigation results are documented in a detailed report that outlines the findings, evidence, and conclusions.
Making recommendations: Based on the findings, recommendations are made to address the issue and prevent future incidents.
Presenting findings: The findings and recommendations are presented to the appropriate parties for review and implementation.[6]
Note: The specific steps and methods used in an email investigation may vary depending on the situation and jurisdiction.
Delivered-To
This email header field contains the email address of the intended recipient. It is one of the major things to check during email analysis as it can provide details of phishing activities. If the email address in this field is not the same as the recipient's actual email address, then it can be a sign of message tampering that warrants an investigation. It's worth noting that email header tampering and spoofing is rather easy for cybercriminals these days - all they need is a Simple Mail Transfer Protocol (SMTP) server and mailing software to launch a phishing attack.
Received By
This field contains the details of the last visited SMTP server. The following information is disclosed:
X-Received
X-Received: by 10.28.27.14 with SMTP id b14mr1702258wmb.82.1485938349292;
Wed, 01 Feb 2017 00:39:09 -0800 (PST)
Some email parameters are not defined in Internet Official Protocol Standards and are called non-standard headers. These are created by mail transfer agents like Google mail SMTP servers which may use the X-Received field to share non-standard information. This field must not be overlooked during email header analysis as it shares the following details:
Return Path
This email address is being protected from spambots. You need JavaScript enabled to view it.
This field contains the email address where the message is returned, in case it fails to reach the intended recipient. This can easily happen if the sender has used the wrong email address for the recipient.
by mx.google.com with ESMTPS id 5si23398790wrr.176.2017.02.01.00.39.08
for (This email address is being protected from spambots. You need JavaScript enabled to view it.)
(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
Wed, 01 Feb 2017 00:39:09 -0800 (PST)
This field contains the information of the first SMTP server where the email was reached. The following details can be found here:
Received From is one of the most important fields in an email header as you can find the IP address of the sender along with other details like the hostname.
Received-SPF: pass (google.com: domain of This email address is being protected from spambots. You need JavaScript enabled to view it. designates 91.199.29.18 as permitted sender) client-ip=91.199.29.18;
Sender Policy Framework (SPF) is an email security protocol that is used to verify the sender. The system forwards the message only after the sender's identity is authenticated. The technique uses the domain address for authentication and adds the check status in the header field. The following codes are used:
Authentication-Results: mx.google.com;
dkim=pass header.i=@activetrail.com;
spf=pass (google.com: domain of This email address is being protected from spambots. You need JavaScript enabled to view it. designates 91.199.29.18 as permitted sender) smtp.mailfrom=This email address is being protected from spambots. You need JavaScript enabled to view it.;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gingersoftware.com
Mail Transfer Agents (MTAs) apply a slew of authentication techniques to the email messages before processing them. The results of these techniques are added to the header field of messages and are separated by a semicolon.
The Authentication-Results field is of great importance in email header analysis forensics as it shares the ID of the authentication-performing server. It also shares the authentication techniques along with their results.
DKIM Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; d=activetrail.com; s=at; h=X-BBounce:X-IADB-URL:Sender:Submitter:X-Feedback-ID:From:To:Date:Subject:MIME-Version:Content-type:Content-Transfer-Encoding; bh=GytDyTyaDleCfGk0d7bL4F2bXbTuWsb/xtpIVyVaCRw=; b=sgh6nUFjt5FC7rBC2BwXFulNuG+k14R7bBsstb4erjtZfTn4z/NPHNhVb4Ax1yXoOgX+ Il6n5SCcXTCkwQdmaxpxt/BzPjWVziBdzU1WichHhPabVFeKctyp6pCjv4+d2FVIiEuxqi v5dBTcJjXBVpOwU0mqgRceh3pqcvd5Rj4=
DKIM signature header field is inserted in an email message to share details of the sender, message, and the public key which is required to perform message authentication. Many email platforms like Gmail and Outlook.com support this field to confirm email authenticity.
Here are the various tags of the DKIM signature header:
v: application version. Only version 1 exists today so this field should always be set to 1.
a: algorithms used for encryption. It should be rsa-sha256 in most cases. Some senders may use rsa-sha1 but it's not recommended due to security risks.
c: algorithms used for canonicalization.
s: selector record name used with the domain.
h: signed header fields that are used in the signing algorithm to create the hash in b= tag.
bh: hash of the message body.
b: hash data of the headers listed in the h= tag. It's also called the DKIM signature.
d: domain used with the selector record. [10]
Figure 3. 1 Sample Email Header
The content of an email and its attachments can provide valuable information for digital investigations. The content of an email can include text, images, and other data, while attachments can include files, images, and other documents. Research papers that discuss the use of email content and attachments in investigations include [11]
Use of forensic tools:
Forensic tools are used to analyze digital evidence such as email headers, content, and attachments. These tools can be used to recover deleted data, examine metadata, and analyze email correspondence. Research papers that discuss the use of forensic tools in email analysis include[13][14]
EnCase Forensic: EnCase Forensic is a comprehensive digital forensics software solution that provides a wide range of tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction.
FTK Imager: FTK Imager is a powerful forensic imaging tool that can be used to create exact images of digital devices, including email correspondence and attachments. It also includes features for email analysis, including email header and metadata analysis, email recovery, and email carving.
Axiom Forensics: Axiom Forensics is a digital forensics software suite that includes tools for email analysis, such as email header analysis, email content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email correlation.
X-Ways Forensics: X-Ways Forensics is a powerful digital forensics software solution that provides tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email visualization.
AccessData Forensic Toolkit (FTK): FTK is a comprehensive digital forensics software suite that provides tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email visualization.
Note: This is not a comprehensive list and there are many other email forensic tools available. The choice of tool depends on the specific needs of the investigation and the expertise of the analyst.
Review of email correspondence:
A review of email correspondence involves examining the content of emails, including the text and attachments, to identify relevant information. This information can be used to reconstruct events, establish relationships, and determine the intent of the parties involved. Research papers that discuss the review of email correspondence include[15][16]
Encryption involves converting plaintext data into an unreadable format that can only be decrypted with a key. This presents a challenge in email forensics as encrypted emails prevent the examination of email content. Authentication mechanisms such as digital signatures, certificate-based encryption, and message authentication codes can also prevent the extraction of metadata and header information. These challenges make it difficult to perform a comprehensive analysis of the email evidence.[20][21]
Figure 4.1 PKI Card
PKI is an acronym for public key infrastructure, which is the technology behind digital certificates. A digital certificate fulfils a similar purpose to a driver’s license or a passport – it is a piece of identification that proves your identity and provides certain allowances. A digital certificate allows its owner to encrypt, sign, and authenticate. Accordingly, PKI is the technology that allows you to encrypt data, digitally sign documents, and authenticate yourself using certificates.
As the word “infrastructure” in public key infrastructure implies, PKI is the underlying framework for the technology as a whole; it is not a single, physical entity. PKI encapsulates various “pieces” that make up the technology, including the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. An important piece of PKI technology is the CA, which is the certification authority. The CA is the entity that issues digital certificates.[28]
Email systems and storage formats vary greatly and lack standardization, which makes the analysis of email evidence challenging. Different email systems may use different file formats and store data in different ways, making it difficult to extract and analyze data in a consistent manner. This lack of standardization can lead to errors and inconsistencies in the analysis of email evidence, making it important for email forensics experts to be familiar with various email systems and storage formats.[22][23]
Email forensics may involve the examination of sensitive personal information such as email correspondence, contacts, and attachments. It is crucial to maintain privacy and ethical standards by protecting confidential personal information during the collection and analysis of email evidence. This requires strict adherence to data protection laws and regulations and the implementation of secure data handling procedures.[24][25]
Gathering necessary resources:
Gathering necessary resources, including personnel, equipment, and software, is a critical step in preparing for an email forensics investigation. This step ensures that the investigation is conducted with the necessary tools and resources to effectively collect and analyze evidence. Research papers that discuss the importance of gathering necessary resources in email forensics[30][31]
Adherence to best practices and standard procedures:
Adherence to best practices and standard procedures is critical in ensuring the reliability and integrity of email evidence. This step involves following established procedures for collecting and analyzing email evidence to maintain the evidence's reliability and usability as evidence in legal proceedings. Research papers that discuss the importance of adherence to best practices and standard procedures in email forensics[32][33]
Proper documentation and reporting:
Proper documentation and reporting of email forensics investigations are critical for maintaining the evidence's chain of custody and ensuring the evidence can be used as evidence in legal proceedings. This step involves documenting the steps taken in the investigation, including the collection and analysis of evidence, to ensure a clear and accurate record of the investigation. Research papers that discuss the importance of proper documentation and reporting in email forensics[34][35]
Working with stakeholders and relevant parties:
Working with stakeholders and relevant parties is a critical step in conducting an email forensics investigation. This step involves collaborating with individuals and organizations, such as law enforcement and legal counsel, to ensure that the investigation is conducted in a manner that meets their needs and expectations. Research papers that discuss the importance of working with stakeholders and relevant parties in email forensics[36][37]
Maintaining clear and concise communication:
Maintaining clear and concise communication is critical in conducting an email forensics investigation. This step involves communicating effectively with stakeholders and relevant parties, including providing regular updates and clear and concise reporting of findings, to ensure that the investigation is conducted in a transparent and effective manner. Research papers that discuss the importance of maintaining clear and concise communication in email forensic[38][39][40]
In conclusion, email investigation is a crucial process that involves the collection, analysis, and preservation of electronic evidence for various purposes. Successful email investigations require careful planning and preparation, the use of appropriate forensic tools, and adherence to best practices and standard procedures. Technical challenges and ethical and privacy concerns pose significant obstacles to the process, and it is important to maintain clear and concise communication and collaboration with stakeholders and relevant parties. The ultimate goal of email investigation should be to obtain reliable and defensible evidence while respecting the privacy and confidentiality of the individuals involved.
Launched to the world in 2017, Wisemonkeys is now a robust Learning management system.
Just follow a 3-step registration process and get connected. Since we appreciate genuine users and do not encourage spammers we follow a small registration process:
1. Sign up
2. Confirm your email. (for the first time the email might fall into your spam/junk/promotion folder. Please mark it as not spam and confirm the link).
3. Login and get started.
4. Or log in via Google/Microsoft.
Our hardworking team is thriving hard to make this platform better and better. If you have any suggestions and feedback, then do write to us at: This email address is being protected from spambots. You need JavaScript enabled to view it.