Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation

In this lesson, you’ll learn about:How email systems work from a forensic perspectiveWhere and how email evidence can be recoveredHow headers, protocols, and timestamps help analysts trace message originsLegal considerations affecting email investigationsTools used in forensic email analysisEmail Analysis & Forensic Investigation Forensic Locations and Evidence Recovery Email evidence can reside in multiple places, so investigators must consider:Client/Suspect Machine: Local email clients, temporary files, swap space, browser cache, slack space.Mail Server: Messages stored during transit or retained copies.Recipient’s System: Evidence often found in the receiver’s mailbox or client.Intermediate Entities: ISPs may also hold relevant artifacts.Effective investigation requires understanding email systems, storage behaviors, and how different clients manage local vs. server-side data. Email Structure & Protocols Email messages consist of two main components: HeaderContains trace information, routing data, and metadata.Fields are generated by the sender, their client, and each server the message passes through.Crucial for tracking the message back to its true point of origin.BodyThe actual message content, which may include attachments.ProtocolsSMTP (port 25) – responsible for sending mail.POP3 (port 110) – retrieves email, often removing it from the server.IMAP – keeps messages stored server-side for synchronization.Ports may be customized, so correct port filtering is essential.EncodingMIME – standard encoding for transmitting messages and attachments across networks.S/MIME & PGP – used for secure, encrypted email communications.Message Storage & Client Forensics Email storage varies depending on configuration:Stored only on the serverStored on both client and serverDeleted from the server after retrieval by client settingsImportant points:Client settings (like in Outlook) may be overridden by the server.Browser-based clients store less structured email data but may leave:Cached message viewsTemporary HTML copiesThumbnailsOutlook & PST FilesOutlook stores email data in PST files, which are typically the largest and most valuable evidence sources.Email Tracing & Header Analysis Technical headers provide the primary means to trace an email’s path. How to Trace an EmailAnalyze the Received: header fields.Begin from the bottom entry (earliest hop).Move upward to reconstruct the route.Evaluate timestamps and time zone offsets carefully to avoid misinterpreting the message flow.Key ConsiderationsSome header fields can be spoofed, but not all.Tools for verification include:Sam SpadeDNS lookup toolsWHOISBCC FieldIf the BCC field appears in a header, it simply confirms a blind copy was sent, though the recipient remains hidden.Legal & Investigative Factors The level of legal protection depends on message age and state:Unopened emails (< 90 days) → Highly protected, often requiring a warrant.Opened emails → Lower level of protection.Unopened emails (> 90 days) → Reduced protection.Emails (> 180 days) → Minimal protection regardless of status.Legal guidance is critical, especially during investigations involving phishing or other malicious email-based attacks. Tools & Monitoring Techniques Investigators rely on several forensic tools: Forensic SuitesFTK (AccessData)EnCase (Guidance Software)Both support PST extraction and email analysis.Network Monitoring Tools Used to examine raw email traffic, especially SMTP:WiresharkMicrosoft Network MonitorTCPdumpTSharkTypical filtering involves isolating traffic on port 25 (SMTP) or any non-standard port used by the mail service.You can listen and download our episodes for free on more than 10 different platforms:https://linktr.ee/cybercode_academy