Forensics

Email forensics Analysis

Email is one of the most popular services used over the internet and has become a primary source of communication for organizations and the public. Usage of email services in business activities like banking, messaging and sending file attachments increased at a tremendous rate. This medium for communication has become vulnerable to different kinds of attacks. Hackers can forge the email headers and send the email anonymously for their malicious purposes. Hackers can also exploit open relay servers to carry out massive social engineering. Email is the most common source of phishing attacks. To mitigate these attacks and catch the people responsible, we use email forensics and techniques like performing header analysis, server investigation, sender mailer fingerprints etc. Email forensics is the analysis of source and content of the email message, identification of sender and receiver, date and time of email and the analysis of all the entities involved. Email forensics also reforms to the forensics of client or server systems suspected in an email forgery.

Email Architecture :

When a user sends an email, the email doesn’t go directly into the mail server at the recipient’s end; rather, it passes through different mail servers.

MUA is the program at the client end that is used to read and compose emails. There are different MUA’s like Gmail, Outlook etc. Whenever MUA sends a message, it goes to MTA which decodes the message and identifies the location it is meant to be sent by reading header information and modifies its header by adding data then passes it to MTA at the receiving end. The last MTA present just before the MUA decodes the message and sends it to MUA at the receiving end. That is why in the email header, we can find information about multiple servers.

Email Header Analysis:

Email forensics starts with the study of email header as it contains a vast amount of information about the email message. This analysis consists of both the study of the content body and the email header containing the info about the given email. Email header analysis helps in identifying most of the email related crimes like spear phishing, spamming, email spoofing etc. Spoofing is a technique using which one can pretend to be someone else, and a normal user would think for a moment that it’s his friend or some person he already knows. It’s just that someone is sending emails from their friend’s spoofed email address, and it is not that their account is hacked.

By analyzing email headers, one can know whether the email he received is from a spoofed email address or a real one. Here is how an email header looks like :

Delivered-To: [email protected]
Received: by 2002:a0c:f2c8:0:0:0:0:0 with SMTP id c8csp401046qvm;
        Wed, 29 Jul 2020 05:51:21 -0700 (PDT)
X-Received: by 2002:a92:5e1d:: with SMTP id s29mr19048560ilb.245.1596027080539;
        Wed, 29 Jul 2020 05:51:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1596027080; cv=none;
        d=google.com; s=arc-20160816;
        b=Um/is48jrrqKYQMfAnEgRNLvGaaxOHC9z9i/vT4TESSIjgMKiQVjxXSFupY3PiNtMa
         9FPI1jq3C4PVsHodzz6Ktz5nqAWwynr3jwld4BAWWR/HBQoZf6LOqlnTXJskXc58F+ik
         4nuVw0zsWxWbnVI2mhHzra//g4L0p2/eAxXuQyJPdso/ObwQHJr6G0wUZ+CtaYTIjQEZ
         dJt6v9I2QGDiOsxMZz0WW9nFfh5juZtg9AJZ5ruHkbufBYpL/sFoMiUN9aBLJ8HBhJBN
         xpPAEyQI4leZT+DQY+ukoXRFQIWDNEfkB5l18GcSKurxn5/K8cPI/KdJNxCKVhTALdFW
         Or2Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=to:subject:message-id:date:from:mime-version:dkim-signature;
        bh=DYQlcmdIhSjkf9Cy8BJWGM+FXerhsisaYNX7ejF+n3g=;
        b=xs6WIoK/swyRWSYw7Nrvv8z1Cx8eAhvlBqBZSbRQTVPvFCjszF4Eb1dWM0s5V+cMAi
         DbkrMBVVxQTdw7+QWU0CMUimS1+8iktDaJ6wuAHu2U9rfOHkY6EpTSDhK2t9BwfqO/+I
         wbM+t6yT5kPC7iwg6k2IqPMb2+BHQps6Sg8uk1GeCJlFlz9TICELcvmQMBaIP//SNlo9
         HEa5iBNU3eQ24eo3bf1UQUGSC0LfslI2Ng1OXKtneFKEOYSr16zWv8Tt4lC1YgaGLDqf
         UYlVoXEc/rOvmWMSz0bf6UxT1FQ62VLJ75re8noQuJIISiNf1HPZuRU6NRiHufPxcis2
         1axg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass [email protected] header.s=20161025 header.b=JygmyFja;
       spf=pass (google.com: domain of [email protected] designates 209.85.22000 as
       permitted sender) [email protected];
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <[email protected]>
Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.000.00])
        by mx.google.com with SMTPS id n84sor2004452iod.19.2020.07.29.00.00.00
        for <[email protected]>
        (Google Transport Security);
        Wed, 29 Jul 2020 05:51:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of [email protected] designates 209.85.000.00
as permitted sender) client-ip=209.85.000.00;
Authentication-Results: mx.google.com;
       dkim=pass [email protected] header.s=20161025 header.b=JygmyFja;
       spf=pass (google.com: domain of [email protected] designates
       209.85.000.00 as permitted sender) [email protected];
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:from:date:message-id:subject:to;
        bh=DYQlcmdIhSjkf9Cy8BJWGM+FXerhsisaYNX7ejF+n3g=;
        b=JygmyFjaBHIYkutqXm1fhUEulGQz37hwzUBnWhHr8hwogrmoEUSASqiBwRhSq4Aj9J
         dvwPSUfs0loOOTindXQJ5XMWRIa1L8qSyrMys6QaeZhG4Z/Oq0FdD3l+RNqRaPB4ltK1
         utXVPo2v5ntiwpJWeeySXDq+SY9QrFIXjM8tS18oihnzIfOze6S4kgI4KCb+wWUXbn98
         UwfU4mA4QChXBNhj4wuJL8k7xkrCZbrVSefhRSqPzaEGNdbjX8dgmWZ8mkxnZZPx2GYt
         olCK+j+qgAMuGh7EScau+u6yjEAyZwoW/2Ph5n9c82TSNrAXE0stvnweUe8RzPRYe4By
         SkKQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:from:date:message-id:subject:to;
        bh=DYQlcmdIhSjkf9Cy8BJWGM+FXerhsisaYNX7ejF+n3g=;
        b=Rqvb//v4RG9c609JNZKlhU8VYqwzmuxGle1xGfoCfisumSIizvlx9QpHmbgLbtfjHT
         IBEiYtARm1K7goMQP4t2VnTdOqeOqmvI+wmcGG6m4kd4UdeJ87YfdPLug82uhdnHqwGk
         bbadWLH9g/v3XucAS/tgCzLTxUK8EpI0GdIqJj9lNZfCOEm+Bw/vi9sIUhVZbXlgfc0U
         jJX4IMElRlB1gMWNe41oC0Kol7vKRiPFzJpIU52Dony09zk6QQJElubY3uqXwqvcTixB
         W1S4Qzhh7V5fJX4pimrEAUA5i10Ox0Ia+vEclI5vWdSArvPuwEq8objLX9ebN/aP0Ltq
         FFIQ==
X-Gm-Message-State: AOAM532qePHWPL9up8ne/4rUXfRYiFKwq94KpVN551D9vW38aW/6GjUv
5v5SnmXAA95BiiHNKspBapq5TCJr1dcXAVmG7GXKig==
X-Google-Smtp-Source: ABdhPJxI6san7zOU5oSQin3E63tRZoPuLaai+UwJI00yVSjv05o/
N+ggdCRV4JKyZ+8/abtKcqVASW6sKDxG4l3SnGQ=
X-Received: by 2002:a05:0000:0b:: with SMTP id v11mr21571925jao.122.1596027079698;
 Wed, 29 Jul 2020 05:51:19 -0700 (PDT)
MIME-Version: 1.0
From: Marcus Stoinis <[email protected]>
Date: Wed, 29 Jul 2020 17:51:03 +0500
Message-ID: <CAJ7aMujFbA0YCFvydnF-N=_zvtckPUn38xMr62dwitD0Ady3=w@mail.gmail.com>
Subject:
To: [email protected]
Content-Type: multipart/alternative; boundary="00000000000023294e05ab94032b"

--00000000000023294e05ab94032b
Content-Type: text/plain; charset="UTF-8"

In order to understand the header information, one has to understand the structured set of fields in the table.

X-apparently to: This field is useful when the email is sent to more than one recipient like bcc or a mailing list. This field contains an address to TO field, but in case of bcc, the X-Apparently to the field is different. So, this field tells the address of the recipient despite the email is sent as either cc, bcc or by some mailing list.

Return path: The Return-path field contains the mail address that the sender specified in the From field.

Received SPF: This field contains the domain from which mail has come from. In this case its

Received-SPF: pass (google.com: domain of [email protected] designates 209.85.000.00 as permitted sender) client-ip=209.85.000.00;

X-spam ratio: There is a spam filtering software at the receiving server or MUA that calculates the spam score. If the spam score exceeds a certain limit, the message is automatically sent to the spam folder. Several MUA’s use different field names for spam scores like X-spam ratio, X-spam status, X-spam flag, X-spam level etc.

Received: This field contains the IP address of the last MTA server at sending end which then sends the email to MTA at the receiving end. In some places, this can be seen under X-originated to field.

X-sieve Header: This field specifies the name and version of the message filtering system. This refers to the language used to specify conditions for filtering the email messages.

X-spam charsets: This field contains the information about character sets used for filtering emails like UTF etc. UTF is a good character set that has the ability to be backward compatible with ASCII.

X-resolved to: This field contains the email address of the recipient, or we can say the address of the mail server to which the MDA of a sender delivers to. Most of the times, X-delivered to, and this field contains the same address.

Authentication results: This field tells whether the received mail from the given domain has passed DKIM signatures and Domain keys signature or not. In this case, it does.

Authentication-Results: mx.google.com;
dkim=pass [email protected] header.s=20161025 header.b=JygmyFja;
spf=pass (google.com: domain of [email protected] designates
209.85.000.00 as permitted sender)

Received: The first received field contains trace information as IP of the machine sends a message. It will show the machine’s name and its IP address. The exact date and time the message has been received can be seen in this field.

Received: from mail-sor-f41.google.com (mail-sor-f41.google.com. [209.85.000.00])
by mx.google.com with SMTPS id n84sor2004452iod.19.2020.07.29.00.00.00
for <[email protected]>
(Google Transport Security);
Wed, 29 Jul 2020 05:51:20 -0700 (PDT)

To, from and subject: “To”, “from“ and “subject” fields contain the info about recipient email address, sender’s email address and the subject specified at the time of sending the email by sender respectively. The subject field is blank in case the sender leaves it that way.

MIME headers: For MUA to perform proper decoding so that the message is sent safely to the client, MIME transfer encoding, MIME content, its version and length are an important subject.

MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Type: multipart/alternative; boundary="00000000000023294e05ab94032b"

Message-id: Message-id contains a domain name appended with the unique number by the sending server.

Message-ID: <CAJ7aMujFbA0YCFvydnF-N=_zvtckPUn38xMr62dwitD0Ady3=w@mail.gmail.com>

Server Investigation :

In this type of investigation, duplicates of conveyed messages and worker logs are explored to distinguish the source of an email. Even if the customers (senders or beneficiaries) delete their email messages which can’t be recovered, these messages might be logged by servers (Proxies or Service Providers) in large portions. These proxies store a duplicate of all messages after their conveyances. Further, logs kept up by workers can be concentrated to follow the location of the PC answerable for making the email exchange. In any case, Proxy or ISP store the duplicates of email and server logs just for some time period and some may not cooperate with forensic investigators. Further, SMTP workers which store information like Visa number and other information relating to the owner of the mailbox can be utilized to distinguish individuals behind an email address.

Bait tactics :

In an investigation of this type, an email with http: “<img src>” tag having image source at any PC checked by the examiners is sent to the sender of the email under investigation containing genuine (authentic) email addresses. At the point when the email is opened, a log section containing the IP address of the one at the receiving end (sender of the culprit) is recorded on the HTTP server, one who is hosting the image and along these lines, the sender is followed. In any case, if the person at the receiving end is utilizing a proxy, then the IP address of the proxy server is tracked down.

The proxy server contains a log, and that can be utilized further to follow the sender of the email under investigation. In case that even proxy server’s log is inaccessible because of some explanation, at that point examiners may send the nasty email having Embedded Java Applet that runs on the recipient’s computer system or an HTML page with Active X Object to track down their desired person.

Network device investigation :

Network devices like firewalls, reuters, switches, modems etc. contain logs that can be used in tracking the source of an email. In this type of investigation, these logs are used in order to investigate the source of an email message. This is a very complex type of forensic investigation and used seldomly. It is often used when the logs of Proxy or ISP provider are unavailable for some reason like lack of maintenance, laziness or lack of support from ISP provider.

Software embedded identifiers :

Some data about the composer of email joined records or archives might be incorporated with the message by the email software utilized by the sender for composing the mail. This data might be remembered for the type of custom headers or as MIME content as a TNE format. Researching the email for these subtleties may uncover some essential data about the senders’ email preferences and choices that could support client-side proof gathering. The examination can uncover PST document names, MAC address, and so on of the customer PC used to send email messages.

Attachment analysis :

Among the viruses and malware, most of them are sent through email connections. Examining email attachments is urgent and crucial in any email-related examination. Private data spillage is another significant field of examination. There are software and tools accessible to recoup email-related information, for example, attachments from hard drives of a computer system. For the examination of dubious connections, investigators upload the attachments into an online sandbox, for example, VirusTotal to check whether the document is a malware or not. Be that as it may, it is critical to managing at the top of the priority list that regardless of whether a record goes through an assessment, for example, VirusTotal’s, this isn’t an assurance that it is completely protected. If this occurs, it is a smart thought to research the record further in a sandbox situation, for example, Cuckoo.

Sender mailer fingerprints :

On examining Received field in headers, the software taking care of emails at server end can be identified. On the other hand, upon examining the X-mailer field, the software taking care of emails at the client end can be identified. These header fields depict software and their versions used at the client’s end to send the email. This data about the client PC of the sender can be utilized to assist examiners with formulating a powerful strategy, and thus these lines end up being very valuable.

Email forensics tools :

In the recent decade, a few email crime scene investigation tools or software have been created. But the majority of the tools have been created in an isolated manner. Besides, most of these tools are not supposed to settle a particular digital or PC wrongdoing related issue. Instead, they are planned to look for or recover data. There has been an improvement in forensics tools to ease the investigator’s work, and there are numerous awesome tools available on the internet. Some tools used for email forensics analysis are as under :

EmailTrackerPro :

EmailTrackerPro investigates the headers of an email message to recognize the IP address of the machine that sent the message so the sender can be found. It can follow different messages at the same time and effectively monitor them. The location of IP addresses is key data for deciding the danger level or legitimacy of an email message. This awesome tool can stick to the city that the email in all likelihood originated from. It recognizes the ISP of the sender and gives contact data for further examination. The genuine way to the sender’s IP address is accounted for in a steering table, giving extra area data to help decide the sender’s actual area. The abuse reporting element in it very well may be utilized to make further examination simpler. In order to protect against spam email, it checks and verifies emails against the spam blacklists for example Spamcops. It supports different languages including Japanese, Russian and Chinese language spam filters along with English. A significant element of this tool is misuse revealing that can make a report that can be sent to the Service Provider (ISP) of the sender. The ISP can then find a way to find account holders and help shut down spam.

Xtraxtor :

This awesome tool Xtraxtor is made in order to separate email addresses, phone numbers and messages from different file formats. It naturally distinguishes the default area and rapidly investigates the email information for you. Clients can do it without much of a stretch extract email addresses from messages and even from file attachments. Xtraxtor reestablishes erased and unpurged messages from numerous mailbox configurations and IMAP mail accounts. Additionally, it has a simple-to-learn interface and good assistance feature to make user activity simpler, and it saves a bunch of time with its quick email, preparing motor and de-dubing features. Xtraxtor is compatible with Mac’s MBOX files and Linux systems and can provide powerful features in order to find relevant info.

Advik (Email backup tool) :

Advik, Email backup tool, is a very good tool that is used to transfer or export all the emails from one’s mailbox, including all the folders like sent, drafts, inbox, spam etc. The user can download the backup of any email account without much effort. Converting email backup in different file formats is another great feature of this awesome tool. Its main feature is Advance Filter. This option can save a tremendous amount of time by exporting the messages of our need from the mailbox in no time. IMAP feature gives the option to retrieve emails from cloud-based storages and can be used with all email service providers. Advik can be used to store backups of our desired location and supports multiple languages along with English, including Japanese, Spanish and French.

Systools MailXaminer :

With the assistance of this tool, a client is permitted to alter their hunt channels relying upon the situations. It gives clients an alternative to look inside messages and connections. What’s more, this forensics email tool additionally offers an all-inclusive help for scientific email examination of both work area and electronic email administrations. It lets examiners deal with more than a single case through and through in a legitimate manner. Likewise, With the assistance of this email analyzing tool, specialists can even view the details of the chat, perform call examination, and view message details between various clients of Skype application. The main features of this software are that it supports multiple languages along with English including Japanese, Spanish and French and Chinese and the format in which it recoups deleted mails are court acceptable. It provides a Log management view in which a good view of all the activities is shown. Systools MailXaminer is compatible with dd, e01, zip and many other formats.

Adcomplain :

There is a tool called Adcomplain that is used for reporting commercial mails and botnet postings and also the ads like “make quick money “, “fast money” etc. Adcomplain itself performs header analysis on the email sender after identifying such mail and reports it to sender’s ISP.

Conclusion :

Email is used by almost every person using internet services all over the world. Scammers and Cybercriminals can forge email headers and send emails with malicious & fraud content anonymously, which can lead to data compromises and hacks. And this is what adds to the importance of email forensic examination. Cybercriminals use several ways and techniques in order to lie about their identities like :

  • Spoofing :

In order to hide one’s own identity, bad people forge the headers of email and fill it with the wrong information. When email spoofing combines with IP spoofing, it’s very difficult to trace the actual person behind it.

  • Unauthorized Networks :

The networks that are already being compromised (including wired and wireless both) are used to send spam emails to hide identity.

  • Open mail relays :

A misconfigured mail relay accepts mails from all the computers including the ones it shouldn’t accept from. Then it forwards it to another system which also should accept the mail from specific computers. This type of mail relay is called an open mail relay. That kind of relay is used by scammers’ and hackers to hide their identity.

  • Open Proxy :

The machine that allows users or computers to connect through it to other computer systems is called a proxy server. There are different types of proxy servers like a corporate proxy server, transparent proxy server etc. depending on the type of anonymity they provide. The open proxy server doesn’t track records of user activities and doesn’t maintain logs, unlike other proxy servers which maintain records of user activities with proper time stamps. These kinds of proxy servers (open proxy servers) provide anonymity and privacy that is valuable for the scammer or the bad person.

  • Anonymizers :

Anonymizers or re-mailers are the websites operating under the guise of protecting the user’s privacy on the internet and make them anonymous by intentionally dropping the headers from the email and by not maintaining server logs.

  • SSH Tunnel :

On the internet, a tunnel means a secure path for data travelling in an untrusted network. Tunnelling can be done in different ways that depend on the software and technique used. Using SSH feature SSH port forwarding tunnelling can be established, and an encrypted tunnel is created that uses the SSH protocol connection. Scammers use SSH tunnelling in sending emails to hide their identities.

  • Botnets :

The term bot got from “ro-bot” in its conventional structure is utilized to portray a content or set of contents or a program intended to perform predefined works over and over and consequently in the wake of being activated deliberately or through a system infection. In spite of the fact that bots started as a helpful element for conveying out dreary and tedious activities, yet they are being abused for malicious purposes. Bots that are used to complete real exercises in a mechanized way are called kind bots, and those that are intended for malignant aim are known as malicious bots. A botnet is a system of bots constrained by a botmaster. A botmaster can order its controlled bots (malignant bots) running on undermined PCs over the globe to send email to some assigned locations while disguising its character and committing an email scam or email fraud.

  • Untraceable Internet Connections :

Internet cafe, university campus, different organizations provide internet access to users by sharing the internet. In this case, if a proper log isn’t maintained of users’ activities, it is very easy to do illegal activities and email scams and get away with it.

Email forensic Analysis is used to find the actual sender and receiver of an email, date and time it is received and the info about intermediate devices involved in the delivery of the message. There are also various tools available to speed up the tasks and finding one’s desired keywords easily. These tools analyze the email headers and give the forensic investigator its desired result in no time.

About the author

Usama Azad

A security enthusiast who loves Terminal and Open Source. My area of expertise is Python, Linux (Debian), Bash, Penetration testing, and Firewalls. I’m born and raised in Wazirabad, Pakistan and currently doing Undergraduation from National University of Science and Technology (NUST). On Twitter i go by @UsamaAzad14