Email Investigation - EMail Forensics

Email Investigation:-

E-mail forensics refers to the study of source and content of e-mail as evidence to spot the actual sender and recipient of a message, data/time of transmission, detailed record of e-mail transaction, intent of the sender, etc. This module involves investigation of metadata, keyword searching, port scanning, etc. for authorship attribution and identification of e-mail scams.
Header Analysis:
Meta data within the e-mail message within the sort of control information i.e. envelope and headers including headers within the message body contain information about the sender and/or the trail along which the message has traversed. a number of these could also be spoofed to hide the identity of the sender. an in depth analysis of those headers and their correlation is performed in header analysis.
Bait-Tactic Investigation:
In bait tactic investigation an e-mail with http: tag having image source at some computer monitored by the investigators is send to the sender of e-mail under investigation containing real e-mail address. When the e-mail is opened, a log entry containing the IP address of the recipient (sender of the e-mail) is recorded on the http server hosting the image and thus sender is tracked. However, if the recipient is using a proxy server then IP address of the proxy server is recorded.
The go online proxy server are often used to track the sender of the e-mail under investigation. If the proxy server’s log is unavailable, then investigators may send the tactic email containing (i) Embedded Java Applet that runs on receiver’s computer or (ii) HTML page with Active X Object. Both getting to extract IP address of the receiver’s computer and e-mail it to the investigators.

Server Investigation
In this investigation, copies of delivered e-mails and server logs are investigated to spot source of an e-mail message. E-mail forensic purged from the clients (senders or receivers) whose recovery is impossible could also be requested from servers (Proxy or ISP) as most of them store a copy of all e-mails after their deliveries. Further, logs maintained by servers are often analyzed to trace the address of the pc liable for making the e-mail transaction. Servers store the copies of e-mail and server logs just for some limited periods and a few may not co-operate with the investigators. SMTP servers which store data like mastercard number and other data concerning owner of a mailbox are often used to identify author an e-mail address.
Network Device Investigation
In this part of e-mail forensic investigation, logs maintained by the network devices like routers, firewalls and switches are used to investigate the source of an e-mail message. This type of investigation is complex and is employed only the logs of servers (Proxy or ISP) are unavailable e.g. when ISP or proxy doesn’t maintain a log or lack of cooperation by ISP’s or failure to take care of chain of evidence.
Software Embedded Identifiers
Some information about the creator of e-mail, attached files or documents could also be included with the message by the e-mail software employed by the sender for composing e-mail. This information may be included within the part of custom headers or within the part of MIME content as a Transport Neutral Encapsulation Format (TNEF). Investigating the e-mail for these details may reveal some vital information about the senders e-mail preferences and options that would help client side evidence gathering. The investigation can reveal PST file names, Windows logon username, MAC address, etc. of the client computer used to send e-mail message.
Sender Mailer Fingerprints
Identification of software handling e-mail at server are often revealed from the Received header field and identification of software handling e-mail at client are often ascertained by using different set of headers like “X-Mailer” or equivalent. These headers describe applications and their versions used at the clients to send e-mail. This information about the client computer of the sender are often used to help.

Components Involved in Email-Communication

Mail User Agent (MUA):
A Mail User Agent (MUA), also referred to as an email client, is a computer application that allows you to send and retrieve email. A MUA is what you interact with, as opposed to an email server, which transports email. MUAs can be software applications, such as Outlook Express and Lotus notes, or they can be webmail services such as those provided by Yahoo!, Microsoft Outlook.com, and Gmail.

Mail Transfer Agent (MTA):
A MTA is just an element of the email delivery process. It receives an email from the mail/message submission agent (MSA), which, in turn, receives it from the mail user agent (MUA).

Mail Delivery Agent (MDA):
A Mail Delivery Agent (MDA) is a computer program that receives email from a Mail Transfer Agent (MTA); then sorts and delivers the email to the recipient's mailbox. The recipient accesses the email in their mailbox using a Mail User Agent (MUA).

SMTP Server:
An SMTP Server, also called as Simple Mail Transfer Protocol Server is essentially an application that sends, receives and relays emails. The major task of an SMTP Server is to act as a relay for outgoing mails between an email sender and an email receiver. It's an important thing to note that SMTP Server is not actually a server but just an application which enables the sending and receiving of emails. It’s default port number is 25.

POP3 Server:
Post Office Protocol version 3 (POP3) is a mail protocol used to retrieve mail from a remote server to a local email client. POP3 copies the mail from the remote server into the local mail client. Optionally, mail is deleted after it is downloaded from the server. This saves space on the server.
Port 110 – Default POP3 port.
Port 995 – POP3 port used for SSL/TLS.

IMAP Server:

IMAP allows you to access your email messages wherever you are; much of the time, it is accessed via the Internet. Basically, email messages are stored on servers. Whenever you check your inbox, your email client contacts the server to connect you with your messages. When you read an email message using IMAP, you aren’t actually downloading or storing it on your computer; instead, you are reading it off of the server.By default, the IMAP server listens on port 143, and the IMAPS (IMAP over SSL) listens on port 993.

Understanding the part of an Email Message:

Steps to Investigate Email Crime:

1. Seize the Computer and Email Accounts.
2. Acquire the Email Data.
3. Examining Email Data.
4. Retrieving Email Headers.
5. Analyzing Email Headers.
6. Recovering Deleted Emails.

Examining Email Header using SysTools Eml Viewer:

Acquiring Email Data from Web-based Email Accounts:

You use Google Takeout to download and create an offline backup of any Gmail account in the mbox file format.

Email Header Analysis:

Delivered-To: yourhackr@gmail.com
Received: by 2002:a05:7000:258e:0:0:0:0
with SMTP id h14csp1141228man;
                Wed, 9 Feb 2022 11:13:19 -0800 (PST)
X-Google-Smtp-Source:
ABdhPJwSgo+Xg+T0nmNIvV1hK3AxywhCLCPW1Uhrgh7vUkJ3YLRtEBjlbob0DDa31yD8pxyVNuEp
X-Received: by 2002:a05:6512:1042::
with SMTP id c2mr2464711lfb.566.1644433999422;
 Wed, 09 Feb 2022 11:13:19 -0800 (PST)
Return-Path:
<newsletter@amny.binoinforticsedia.me>
Received: from domain.com
(miller.midgetupon.com. [178.216.169.79]) by mx.google.com with ESMTP id
y3si18144010ljp.466.2022.02.09.11.13.18 for <yourhackr@gmail.com>;

                Wed, 09 Feb 2022 11:13:19 -0800 (PST)

Received-SPF: neutral (google.com:
178.216.169.79 is neither permitted nor denied by best guess record for domain
of newsletter@amny.binoinforticsedia.me) client-ip=178.216.169.79;

Authentication-Results: mx.google.com;

                                     dkim="pass
header.i=@mail.feedblitz.com header.s=mdaemon header.b=vukeVQTS";
                                     arc="fail (missing arc-seal
header)";
                      spf="neutral (google.com:
178.216.169.79 is neither permitted nor denied by best guess record for domain
of newsletter@amny.binoinforticsedia.me)
smtp.mailfrom=newsletter@amny.binoinforticsedia.me";
                      dmarc="pass (p=QUARANTINE
sp=QUARANTINE dis=NONE) header.from=mail.feedblitz.com"
Subject:
=?utf-8?Q?=ED=A0=BD=ED=BA=A849.=ED=A0=B5=ED=BF=B1=ED=A0=B5=ED=BF=B5=ED=A0=B5=ED=BF=AD,=ED=A0=B5=ED=BF=AE=ED=A0=B5=ED=BF=B1=ED=A0=BD=ED=B2=B2=ED=A0=BD=ED=BA=A8A=ED=A0=B5=ED=B7=B1=ED=A0=B5=ED=B7=B1=ED=A0=B5=ED=B7=B2=ED=A0=B5=ED=B7=B1_=ED=A0=B5=ED=B8=81=ED=A0=B5=ED=B7=BC?=

               =?utf-8?Q?_=ED=A0=B5=ED=B8=86=ED=A0=B5=ED=B7=BC=ED=A0=B5=ED=B8=82=ED=A0=B5=ED=B7=BF_=ED=A0=B5=ED=B7=AE=ED=A0=B5=ED=B7=B0=ED=A0=B5=ED=B7=B0=ED=A0=B5=ED=B7=BC=ED=A0=B5=ED=B8=82=ED=A0=B5=ED=B7=BB=ED=A0=B5=ED=B8=81,=ED=A0=BD=ED=B2=B0_=ED=A0=B5=ED=B7=B0o=ED=A0=B5=ED=B7=BB=ED=A0=B5=ED=B7=B3=ED=A0=B5=ED=B7=B6=ED=A0=B5=ED=B7=BF=ED=A0=B5=ED=B7=BA?=

               =?utf-8?Q?_=ED=A0=B5=ED=B7=B6=ED=A0=B5=ED=B8=81_=ED=A0=B5=ED=B7=BB=ED=A0=B5=ED=B7=BC=ED=A0=B5=ED=B8=84_=ED=A0=B5=ED=B7=AF=ED=A0=B5=ED=B7=B2=ED=A0=B5=ED=B7=B3=ED=A0=B5=ED=B7=BC=ED=A0=B5=ED=B7=BF=ED=A0=B5=ED=B7=B2_=ED=A0=B5=ED=B7=B2=ED=A0=B5=ED=B8=85=ED=A0=B5=ED=B7=BD=ED=A0=B5=ED=B7=B6=ED=A0=B5=ED=B7=BF=ED=A0=B5=ED=B7=AE=ED=A0=B5=ED=B8=81=ED=A0=B5=ED=B7=B6=ED=A0=B5=ED=B7=BC=ED=A0=B5=ED=B7=BB=ED=A0=BD=ED=B2=B0?=
Date: Wed, 09 Feb 2022 14:13:18 -0500
(EST)
ARC-Message-Signature: i=1;
a="rsa-sha256"; c="relaxed/relaxed";
                               d="google.com";
s="arc-20160816";                                 
h="message-id:mime-version:list-unsubscribe:subject:date:to:reply-to         :from:dkim-signature";
                      
bh="jOBw6P5g3E5ddG70r4+PTZl8uShwu91KPY4i5wjAacY=";
                       b="hjLtcpmNywlqpDTBvq5qGSQqVoO7YgZtJU/uNp8gGh4qG7ADFdiUo8PiAPIezFfcHb        
mG5fSCEje7nxdByolxSyRlF7FC7X6SQ8Xh1bHdAv54loZd7XcTdaCnKwJmfhf0QHBtfQ         scdjIWbLzqpsfc91Gp+oRmVbU/RjGBmBZ7S4qVhjS6jDfaFDgegskpvR3+VdXyQ3OTtx         6V33tCRpw97gQElW2TWocnFRf/d97/nOd3yGxqRsA/KoyQvvvVp/lsJBJUu3DGw0Op/4        
Cc1i7DPPZ3oZJJB6OuBlST+9NaLak/86j+mTCCzS75nZKz+ShWgO4XBg8/+IkAiaZq3L         lAyA=="

ARC-Authentication-Results: i=1;
mx.google.com;

                                     dkim="pass
header.i=@mail.feedblitz.com header.s=mdaemon header.b=vukeVQTS";

                      spf="pass (google.com: domain of
feedblitz@mail.feedblitz.com designates 74.208.147.114 as permitted sender)
smtp.mailfrom=FeedBlitz@mail.feedblitz.com";
                      dmarc="pass (p=QUARANTINE
sp=QUARANTINE dis=NONE) header.from=mail.feedblitz.com"
Return-Path:
<FeedBlitz@mail.feedblitz.com>
Received: from mail06.feedblitz.com
(mail06.feedblitz.com. [74.208.147.114]) by mx.google.com with ESMTPS id
p2si2271305ybg.286.2022.02.09.08.15.58 for <epsdix@gmail.com>
(version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
                Wed, 09 Feb 2022 08:15:58 -0800 (PST)
Received-SPF: pass (google.com: domain
of feedblitz@mail.feedblitz.com designates 74.208.147.114 as permitted sender)
client-ip=74.208.147.114;

Received: from mail06.feedblitz.com
([74.208.147.114]) by mail06.feedblitz.com over TLS secured channel with
Microsoft SMTPSVC(10.0.14393.4169);

                Wed, 9 Feb 2022 11:16:00 -0500

DKIM-Signature: v=1;
a="rsa-sha1"; c="relaxed/relaxed";
                d="mail.feedblitz.com"; s=mdaemon;
i="@mail.feedblitz.com";
                q="dns/txt";
                h="From:Reply-To:To:Date:Subject:List-Unsubscribe:
MIME-Version:Content-Type";
                bh="rTIJtYcfXg76ov7wDjoiYY8aqkc=";
                b="vu
keVQTS+JT3JJUriChcKl0o1xdFUDOZXVWtYWsEX5wE2WX8l6+5qP5UbEM30nG6O6
P5OuA1UL+NF8gy8C4hUibrrJBq/jvkExdyVQwWBl4SgiUaQ5mBCWN9FgU6U6tTon
WIukq4l9xQO936u/82mcmwpiT8PC5o8pz/ru8GMX8="

From: "BITCOIN"
<feedblitz@mail.feedblitz.com>

Reply-To: "BITCOIN"
<epsdix@gmail.com>

To: epsdix <epsdix@gmail.com>

Date: Wed, 09 Feb 2022 11:16:00 -0500

Subject: BITcoin [Test Send at
11:16:00]
X-Mailer: FeedBlitz
List-Unsubscribe:
<mailto:feedblitz@mail.feedblitz.com?subject=unsubscribe%20epsdix@gmail.com&body=remove%20epsdix@gmail.com%20132042391_1123969_0_fbz@mail.feedblitz.com>,

             <https://app.feedblitz.com/f/?lu=epsdix@gmail.com&rp=132042391_1123969_0_fbz@mail.feedblitz.com&op=7a79f5920d45e608b446816f87048ee8>
X-fbzpid: 1768
MIME-Version: 1.0
Content-Type: multipart/alternative;
               charset="UTF-8";  boundary="f33dBL1tz_mIME_pART_bOUNDARY====v1_"
Return-Path:
FeedBlitz@mail.feedblitz.com
Message-ID: <MAIL06QytxQ8STI1rgR00071251@mail06.feedblitz.com>
X-OriginalArrivalTime: 09 Feb 2022
16:16:00.0836 (UTC) FILETIME=[5412F040:01D81DD0]

X-apparently to: This field is useful when the email is sent to more than one recipient like bcc or a mailing list. This field contains an address to TO field, but in case of bcc, the X-Apparently to the field is different. So, this field tells the address of the recipient despite the email is sent as either cc, bcc or by some mailing list.

Return path: The Return-path field contains the mail address that the sender specified in the from field.

Received SPF: This field contains the domain from which mail has come from.

X-spam ratio: There is a spam filtering software at the receiving server or MUA that calculates the spam score. If the spam score exceeds a certain limit, the message is automatically sent to the spam folder. Several MUA’s use different field names for spam scores like X-spam ratio, X-spam status, X-spam flag, X-spam level etc.

Received: This field contains the IP address of the last MTA server at sending end which then sends the email to MTA at the receiving end. In some places, this can be seen under X-originated to field.

X-sieve Header: This field specifies the name and version of the message filtering system. This refers to the language used to specify conditions for filtering the email messages.

X-spam charsets: This field contains the information about character sets used for filtering emails like UTF.UTF is a good character set that has the ability to be backward compatible with ASCII.

X-resolved to: This field contains the email address of the recipient, we can say the address of the mail server to which the MDA of a sender delivers to. Most of the times, X-delivered to, and this field contains the same address.

Authentication results: This field tells whether the received mail from the given domain has passed DKIM signatures and Domain keys signature or not.

ARC-Authentication-Results: i=1;mx.google.com;
                      dkim="pass header.i=@mail.feedblitz.com header.s=mdaemon header.b=vukeVQTS";
                      spf="pass (google.com: domain offeedblitz@mail.feedblitz.com designates 74.208.147.114 as permitted sender)
smtp.mailfrom=FeedBlitz@mail.feedblitz.com";
                      dmarc="pass (p=QUARANTINEsp=QUARANTINE dis=NONE) header.from=mail.feedblitz.com"

Received: The first received field contains trace information as IP of the machine sends a message. It will show the machine’s name and its IP address. The exact date and time the message has been received. 

To, from and subject: “To”, “from“ and “subject” fields contain the info about recipient email address, sender’s email address and the subject specified at the time of sending the email by sender respectively

Received: from mail06.feedblitz.com (mail06.feedblitz.com. [74.208.147.114]) by mx.google.com with ESMTPS id p2si2271305ybg.286.2022.02.09.08.15.58 for  (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
	 Wed, 09 Feb 2022 08:15:58 -0800 (PST)
Received-SPF: pass (google.com: domain of feedblitz@mail.feedblitz.com designates 74.208.147.114 as permitted sender) client-ip=74.208.147.114;
Received: from mail06.feedblitz.com ([74.208.147.114]) by mail06.feedblitz.com over TLS secured channel with Microsoft SMTPSVC(10.0.14393.4169);
	 Wed, 9 Feb 2022 11:16:00 -0500

MIME headers: For MUA to perform proper decoding so that the message is sent safely to the client, MIME transfer encoding, MIME content, its version and length are an important subject.

MIME-Version: 1.0
Content-Type: multipart/alternative;
	charset="UTF-8";	boundary="f33dBL1tz_mIME_pART_bOUNDARY====v1_"
 

Message-id: Message-id contains a domain name appended with the unique number by the sending server.

Message-ID:<MAIL06QytxQ8STI1rgR00071251@mail06.feedblitz.com>

Retrieving Email Headers in Gmail:

1. Log in to the Gmail Account and click on the email that you want to analyze.
2. Click on More and then click on Show Original Option.
3. Copy the Message header and paste it in any Text Editor and then Analyze

Analyzing Email Header:

1. From: Shows the email ID of the sender as it is visible to the recipient; this can be forged in case of spam emails.

2. To: Shows the email ID of the recipient

3. Message ID: As per RFC 2822, a specific email message should have a globally unique message identifier The first part of the message ID before ‘@’ contains the timestamp of the email The part of message ID after '@’ contains the Fully Qualified Domain Name (here, the domain name is mail06.feedblitz.com).

4. Subject: Shows the subject as given by the sender.

5. MIME-Version: Multi-purpose Internet Mail Extensions are used to support non-text attachments such as video, images, and audio and the default version is 1.0 6. 

6.Timestamp: Shows the date and time when the mail was sent.

--------------------------

Happy Hacking! (Please do not spam it, It's Just For Knowledge ...)

YourHacker

forensics

Friday, April 15, 2022

Share

Like

Tweet

Tweet

Related Posts