Email Investigation

I. Introduction

E-mail is a widely used form of computer-mediated communication (Heisler and Crabill, 2006) that allows for quick and inexpensive communication over long distances. Despite its convenience, email has been implicated in various criminal activities, either as a tool for criminals to communicate or as a source of digital evidence (Maras, 2012; Yu, 2011). This has made email a key focus in digital forensics (Orebaugh and Allnutt, 2009; Garfinkel, 2006; Shields et al., 2011). However, current digital forensics literature frequently overlooks an important source of intelligence in criminal activities — email spam.In the USA, the CAN-SPAM Act defines email spam as unsolicited commercial emails sent to recipients with whom the sender has no existing relationship, and not sent with the recipient’s consent. Unsolicited commercial emails that violate the CAN-SPAM regulations are considered illegal and may result in fines of up to $16,000 for each email in violation (Federal Trade Commission, 2009), or imprisonment (Year Gain et al., 2004). However, research has shown that these penalties have failed to deter spammers (Yu, 2011), suggesting that spammers do not believe that law enforcement takes email spam cases seriously. This lack of enforcement may be due to limited resources or jurisdictional issues, but it may also indicate a perception that email spam is a minor problem with minimal harm. This downplayed view of email spam could work in the favour of criminals if digital investigators and researchers share the same perception.Current research on email spam primarily focuses on technical issues, such as spam filtering methods (Blanzieri and Bryl, 2008; Zhou et al., 2010; Liu and Wang, 2013; Zhou et al., 2014), or the methods used by spammers (Wang et al., 2013; Lumezanu and Feamster, 2012). These discussions are largely irrelevant to digital forensics, as researchers in the field of email spam are more concerned with detecting spam and reducing false positives, rather than extracting useful information from spam emails. This makes email spam a viable medium for criminals to convey incriminating messages. To demonstrate this, this article introduces five scenarios where digital forensics practitioners may overlook crucial information contained in spam emails.B. Overview of the email investigation process [1][2][3][4][5]

The email investigation process typically involves the following steps:

Gathering evidence: This includes collecting all relevant emails, attachments, and any other related electronic data.

Reviewing the evidence: The collected data is reviewed to identify any relevant information that may help in the investigation.

Analysis: The data is analysed to determine if there is any violation of policies, laws, or ethical standards.

Interviews: Key individuals involved in the matter may be interviewed to gather additional information and clarify any inconsistencies.

Documenting findings: The investigation results are documented in a detailed report that outlines the findings, evidence, and conclusions.

Making recommendations: Based on the findings, recommendations are made to address the issue and prevent future incidents.

Presenting findings: The findings and recommendations are presented to the appropriate parties for review and implementation.[6]

Note: The specific steps and methods used in an email investigation may vary depending on the situation and jurisdiction.

II. Types of Email InvestigationsA. Internal Email Investigation: An internal email investigation is conducted within an organisation to examine the use of email within the company, usually for compliance or security purposes. This type of investigation may be carried out to monitor employee communication, prevent data breaches or intellectual property theft, or ensure that employees are following company policies and regulations.[7]

External Email Investigation: External email investigations are conducted outside of an organisation, usually by law enforcement agencies, to gather evidence for a criminal case. This may involve collecting and analysing email communications between individuals, businesses, or organisations to gather evidence of illegal activities such as cybercrime, fraud, or embezzlement.[8]

Criminal Email Investigation: A criminal email investigation is a type of external email investigation conducted to gather evidence for a criminal case. This type of investigation may involve the analysis of email communications for evidence of criminal activities such as cybercrime, fraud, or embezzlement. It may also involve the examination of email header information, IP addresses, and other technical details to track the origin and movement of email communications.[9]

III. Methods of Email InvestigationA. Collection of Evidence1. Email headers and metadata

Delivered-To

This email header field contains the email address of the intended recipient. It is one of the major things to check during email analysis as it can provide details of phishing activities. If the email address in this field is not the same as the recipient’s actual email address, then it can be a sign of message tampering that warrants an investigation. It’s worth noting that email header tampering and spoofing is rather easy for cybercriminals these days — all they need is a Simple Mail Transfer Protocol (SMTP) server and mailing software to launch a phishing attack.

Received By

This field contains the details of the last visited SMTP server. The following information is disclosed:

a) Server’s IP address

b) SMTP ID of the visited server

c) Data and time at which the email was received by the SMTP server

X-Received

X-Received: by 10.28.27.14 with SMTP id b14mr1702258wmb.82.1485938349292;

Wed, 01 Feb 2017 00:39:09 -0800 (PST)

Some email parameters are not defined in Internet Official Protocol Standards and are called non-standard headers. These are created by mail transfer agents like Google mail SMTP servers which may use the X-Received field to share non-standard information. This field must not be overlooked during email header analysis as it shares the following details:

a) IP address of the message-receiving servers

b) SMTP ID of the server

c) Data and time at which the email was received

Return Path

[email protected]

This field contains the email address where the message is returned, in case it fails to reach the intended recipient. This can easily happen if the sender has used the wrong email address for the recipient.

by mx.google.com with ESMTPS id 5si23398790wrr.176.2017.02.01.00.39.08

for ([email protected])

(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);

Wed, 01 Feb 2017 00:39:09 -0800 (PST)

This field contains the information of the first SMTP server where the email was reached. The following details can be found here:

a) Server-related IP address

b) Receiver’s email address

c) Encryption information

d) Data and time at which the message was received

Received From is one of the most important fields in an email header as you can find the IP address of the sender along with other details like the hostname.

Received-SPF: pass (google.com: domain of [email protected] designates 91.199.29.18 as permitted sender) client-ip=91.199.29.18;

Sender Policy Framework (SPF) is an email security protocol that is used to verify the sender. The system forwards the message only after the sender’s identity is authenticated. The technique uses the domain address for authentication and adds the check status in the header field. The following codes are used:

a) Pass: Email source is valid

b) Softfail: Fake source possible

c) Fail: Source is invalid

d) Neutral: Source validity difficult to ascertain

e) None: SPF record not found

f) Unknown: SPF check can’t be performed

g) Error: An error occurring during the SPF check

Authentication-Results: mx.google.com;

dkim=pass [email protected];

spf=pass (google.com: domain of [email protected] designates 91.199.29.18 as permitted sender) [email protected];

dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=gingersoftware.com

Mail Transfer Agents (MTAs) apply a slew of authentication techniques to the email messages before processing them. The results of these techniques are added to the header field of messages and are separated by a semicolon.

The Authentication-Results field is of great importance in email header analysis forensics as it shares the ID of the authentication-performing server. It also shares the authentication techniques along with their results.

DKIM Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; q=dns/txt; d=activetrail.com; s=at; h=X-BBounce:X-IADB-URL:Sender:Submitter:X-Feedback-ID:From:To:Date:Subject:MIME-Version:Content-type:Content-Transfer-Encoding; bh=GytDyTyaDleCfGk0d7bL4F2bXbTuWsb/xtpIVyVaCRw=; b=sgh6nUFjt5FC7rBC2BwXFulNuG+k14R7bBsstb4erjtZfTn4z/NPHNhVb4Ax1yXoOgX+ Il6n5SCcXTCkwQdmaxpxt/BzPjWVziBdzU1WichHhPabVFeKctyp6pCjv4+d2FVIiEuxqi v5dBTcJjXBVpOwU0mqgRceh3pqcvd5Rj4=

DKIM signature header field is inserted in an email message to share details of the sender, message, and the public key which is required to perform message authentication. Many email platforms like Gmail and Outlook.com support this field to confirm email authenticity.

Here are the various tags of the DKIM signature header:

v: application version. Only version 1 exists today so this field should always be set to 1.

a: algorithms used for encryption. It should be rsa-sha256 in most cases. Some senders may use rsa-sha1 but it’s not recommended due to security risks.

c: algorithms used for canonicalization.

s: selector record name used with the domain.

h: signed header fields that are used in the signing algorithm to create the hash in b= tag.

bh: hash of the message body.

b: hash data of the headers listed in the h= tag. It’s also called the DKIM signature.

d: domain used with the selector record. [10]

Figure 3. 1 Sample Email Header

2. Email content and attachments

The content of an email and its attachments can provide valuable information for digital investigations. The content of an email can include text, images, and other data, while attachments can include files, images, and other documents. Research papers that discuss the use of email content and attachments in investigations include [11]

B. Analysis of Evidence

Use of forensic tools:

Forensic tools are used to analyze digital evidence such as email headers, content, and attachments. These tools can be used to recover deleted data, examine metadata, and analyze email correspondence. Research papers that discuss the use of forensic tools in email analysis include[13][14]

EnCase Forensic: EnCase Forensic is a comprehensive digital forensics software solution that provides a wide range of tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction.

FTK Imager: FTK Imager is a powerful forensic imaging tool that can be used to create exact images of digital devices, including email correspondence and attachments. It also includes features for email analysis, including email header and metadata analysis, email recovery, and email carving.

Axiom Forensics: Axiom Forensics is a digital forensics software suite that includes tools for email analysis, such as email header analysis, email content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email correlation.

X-Ways Forensics: X-Ways Forensics is a powerful digital forensics software solution that provides tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email visualization.

AccessData Forensic Toolkit (FTK): FTK is a comprehensive digital forensics software suite that provides tools for email analysis, including email header and content analysis, email recovery, and email metadata extraction. It also includes advanced features such as email thread analysis and email visualization.

Note: This is not a comprehensive list and there are many other email forensic tools available. The choice of tool depends on the specific needs of the investigation and the expertise of the analyst.

Review of email correspondence:

A review of email correspondence involves examining the content of emails, including the text and attachments, to identify relevant information. This information can be used to reconstruct events, establish relationships, and determine the intent of the parties involved. Research papers that discuss the review of email correspondence include[15][16]

C. Preservation of EvidenceImportance of proper storage: Proper storage of digital evidence, including email correspondence, is crucial for maintaining its integrity and ensuring that it can be used as evidence in legal proceedings. Improper storage can result in data corruption, data loss, and changes to the original data, making it unreliable as evidence. Research papers that discuss the importance of proper storage include [16][17]Legal considerations: The legal considerations involved in email forensics include privacy laws, electronic discovery rules, and the admissibility of digital evidence in court. It is important to be aware of these laws and to follow proper procedures when collecting and analyzing email evidence to ensure that it can be used as evidence in legal proceedings. Research papers that discuss legal considerations in email forensics include [18][19]IV. Challenges in Email InvestigationA. Technical Challenges1. Encryption and authentication

Encryption involves converting plaintext data into an unreadable format that can only be decrypted with a key. This presents a challenge in email forensics as encrypted emails prevent the examination of email content. Authentication mechanisms such as digital signatures, certificate-based encryption, and message authentication codes can also prevent the extraction of metadata and header information. These challenges make it difficult to perform a comprehensive analysis of the email evidence.[20][21]

Figure 4.1 PKI Card

PKI is an acronym for public key infrastructure, which is the technology behind digital certificates. A digital certificate fulfils a similar purpose to a driver’s license or a passport — it is a piece of identification that proves your identity and provides certain allowances. A digital certificate allows its owner to encrypt, sign, and authenticate. Accordingly, PKI is the technology that allows you to encrypt data, digitally sign documents, and authenticate yourself using certificates.

As the word “infrastructure” in public key infrastructure implies, PKI is the underlying framework for the technology as a whole; it is not a single, physical entity. PKI encapsulates various “pieces” that make up the technology, including the hardware, software, people, policies, and procedures needed to create, manage, store, distribute, and revoke digital certificates. An important piece of PKI technology is the CA, which is the certification authority. The CA is the entity that issues digital certificates.[28]

2. Lack of standardization

Email systems and storage formats vary greatly and lack standardization, which makes the analysis of email evidence challenging. Different email systems may use different file formats and store data in different ways, making it difficult to extract and analyze data in a consistent manner. This lack of standardization can lead to errors and inconsistencies in the analysis of email evidence, making it important for email forensics experts to be familiar with various email systems and storage formats.[22][23]

B. Ethical and Privacy Concerns1. Confidentiality of personal information

Email forensics may involve the examination of sensitive personal information such as email correspondence, contacts, and attachments. It is crucial to maintain privacy and ethical standards by protecting confidential personal information during the collection and analysis of email evidence. This requires strict adherence to data protection laws and regulations and the implementation of secure data handling procedures.[24][25]

2. Adherence to data protection lawsEmail forensics must comply with various data protection laws, including privacy laws and data retention regulations, to ensure that the collection and analysis of email evidence are conducted in a legal and ethical manner. This requires a deep understanding of data protection laws and regulations and the implementation of processes and procedures to ensure compliance. Inadequate attention to data protection laws can result in legal and ethical issues, which can compromise the integrity and reliability of the email evidence.[26][27]V. Best Practices in Email InvestigationA. Planning and PreparationDefining the scope of the investigation: Defining the scope of an email forensics investigation involves determining the objectives, goals, and boundaries of the investigation. This step is critical in ensuring that the investigation is conducted in an efficient and effective manner. Research papers that discuss the importance of defining the scope of an email forensic investigation[28][29]

Gathering necessary resources:

Gathering necessary resources, including personnel, equipment, and software, is a critical step in preparing for an email forensics investigation. This step ensures that the investigation is conducted with the necessary tools and resources to effectively collect and analyze evidence. Research papers that discuss the importance of gathering necessary resources in email forensics[30][31]

B. Evidence Collection and Analysis1. Adherence to best practices and standard procedures

Adherence to best practices and standard procedures:

Adherence to best practices and standard procedures is critical in ensuring the reliability and integrity of email evidence. This step involves following established procedures for collecting and analyzing email evidence to maintain the evidence’s reliability and usability as evidence in legal proceedings. Research papers that discuss the importance of adherence to best practices and standard procedures in email forensics[32][33]

2. Proper documentation and reporting

Proper documentation and reporting:

Proper documentation and reporting of email forensics investigations are critical for maintaining the evidence’s chain of custody and ensuring the evidence can be used as evidence in legal proceedings. This step involves documenting the steps taken in the investigation, including the collection and analysis of evidence, to ensure a clear and accurate record of the investigation. Research papers that discuss the importance of proper documentation and reporting in email forensics[34][35]

C. Communication and Collaboration1. Working with stakeholders and relevant parties

Working with stakeholders and relevant parties:

Working with stakeholders and relevant parties is a critical step in conducting an email forensics investigation. This step involves collaborating with individuals and organizations, such as law enforcement and legal counsel, to ensure that the investigation is conducted in a manner that meets their needs and expectations. Research papers that discuss the importance of working with stakeholders and relevant parties in email forensics[36][37]

2. Maintaining clear and concise communication

Maintaining clear and concise communication:

Maintaining clear and concise communication is critical in conducting an email forensics investigation. This step involves communicating effectively with stakeholders and relevant parties, including providing regular updates and clear and concise reporting of findings, to ensure that the investigation is conducted in a transparent and effective manner. Research papers that discuss the importance of maintaining clear and concise communication in email forensic[38][39][40]

VI. Conclusion

In conclusion, email investigation is a crucial process that involves the collection, analysis, and preservation of electronic evidence for various purposes. Successful email investigations require careful planning and preparation, the use of appropriate forensic tools, and adherence to best practices and standard procedures. Technical challenges and ethical and privacy concerns pose significant obstacles to the process, and it is important to maintain clear and concise communication and collaboration with stakeholders and relevant parties. The ultimate goal of email investigation should be to obtain reliable and defensible evidence while respecting the privacy and confidentiality of the individuals involved.

A. Summary of Key Findings:Email investigation is a complex process that requires a combination of technical expertise and an understanding of the legal and ethical implications involved. The research found that the success of an email investigation largely depends on careful planning and preparation, the use of appropriate forensic tools, and adherence to best practices and standard procedures. The analysis of email evidence also requires a thorough understanding of the technical challenges, such as encryption and authentication, and an awareness of the ethical and privacy concerns, such as confidentiality of personal information and data protection lawsB. Implications and Future Recommendations:The findings of this research have several implications for the email investigation process. It highlights the need for better collaboration and communication between stakeholders, including investigators, legal teams, and relevant parties. It also underscores the importance of proper documentation and reporting to ensure that the evidence collected is admissible in court. Future research could focus on the development of more effective methods for email investigation, as well as the implementation of policies and procedures to ensure the ethical and legal compliance of the process. Overall, the goal of email investigation should be to obtain reliable and defensible evidence while respecting the privacy and confidentiality of the individuals involved.

Launched to the world in 2017, Wisemonkeys is now a robust Learning management system.

Just follow a 3-step registration process and get connected. Since we appreciate genuine users and do not encourage spammers we follow a small registration process:

1. Sign up

2. Confirm your email. (for the first time the email might fall into your spam/junk/promotion folder. Please mark it as not spam and confirm the link).

3. Login and get started.

4. Or log in via Google/Microsoft.

Our hardworking team is thriving hard to make this platform better and better. If you have any suggestions and feedback, then do write to us at: [email protected]