 E-mail has supplanted other forms of communication in recent years, and most computer users have programmes to receive, send, and manage their e-mail. These programmes vary in how, where, and how they track and keep e-mail. Some require their own directories and data files on the local machine and are installed separately from the operating systems. Others use already installed software, including Web browsers, without installing any additional software on the client machine. Computer forensics investigators must be familiar with the processing of E-Mail in order to gather this crucial evidence because it has become a crucial component of many computing investigations. Additionally, investigators need to understand how to spot phishing or spoofing attempts, as well as the rise in email scams. E-mail-related crimes and policy breaches require the same kind of investigation as other computer crimes and computer misuse. To establish a case for prosecution or arbitration, the goal is to identify the person(s) responsible for the crime or policy violation, collect the necessary evidence, and submit the results. The location, state, and occasionally country where the email was sent determine what violations and crimes were committed by email. Crimes are increasingly being committed by email, and more investigators are discovering emails that connect suspects to a crime or policy violation. For example, some people use email to perform crimes like drug trafficking and extortion. Kid abductions, child pornography, fraud, stalking, sexual harassment of women, and so forth. Since email has emerged as a significant means of communication, it is possible for any crime or rule violation to involve email. The 419 scam, also known as the Nigerian Scam, which started as a chain letter in Nigeria, Africa, was one of the most notable e-mail scams. In order to solicit victims, fraudsters just need access to Internet e-mail, saving them money on foreign postage. Contrasting cutting-edge, more sophisticated phishing email scams. A distinctive writing style and other differentiating maneuvers are used in 419 communications. Methods for Email Forensic Investigations Email forensics is the analysis of the origin and content of emails as proof to pinpoint the true sender and recipient of a communication, as well as other details like the date, time, and purpose of the sender. It entails looking through metadata, scanning ports, and keyword swatches. The following are some typical methods that can be utilized for an email forensic investigation: • Header Analysis • Server investigation • Network Device Investigation • Sender Mailer Fingerprints • Software Embedded Identifiers 1. Email Header Analysis Important information is contained in email headers, such as the sender and recipient’s names, the servers and other devices the message has passed through, etc. Investigators and forensics specialists might benefit from the crucial information in email headers when conducting an email inquiry. For instance, the Delivered-To field provides the recipient’s email address, while the Received-By field contains the last-visited SMTP server’s IP address, SMTP ID, and the time and date the email was received. Similar information, including the sender’s IP address and host name, is provided in the Received: from field. The identification of the offender and the gathering of evidence can both benefit from such knowledge. 2. Server investigation The software that powers an email server employs email protocols to provide its services and keeps logs that can be analyzed and used in the inquiry. Every email server has the ability to keep track of emails that have been handled. Some email servers are configured to automatically log email transactions. Others need to be set up that way. To recover emails, the majority of email administrators record system activity and message flow. Make sure the firewall and email filters are functioning properly in case of a crisis, and put business policy into place. Even so, the email ends when it reaches a certain size or the allotted amount of time has passed. Circular logging reduces server space usage, but once it has been overwritten, it cannot be retrieved. 3. Network device investigation Sometimes, server logs are not accessible. Numerous factors, such as servers that are not set up to maintain logs or ISPs who won’t provide the log files, can cause this. In such a case, investigators can look for an email message’s origins in the logs kept by network devices like switches, firewalls, and routers. 4. Sender mailer fingerprints Email communications also include X-headers in addition to common headers like Subject and To. These can be used to identify the email client programmes, such as Outlook or Opera Mail, and are frequently added for spam filter information, authentication results, etc. To identify the original sender, or the IP address of the sender’s machine, use the X-originating-IP header. 5. Software embedded identifiers The email programmes that a sender uses occasionally enables the inclusion of extra details about the message and any associated files. It appears as a Transport Neutral Encapsulation Format (TNEF) or custom header in MIME content. These portions can be thoroughly analyzed to disclose important information about the sender, such as the sender’s MAC address, Windows logon username, PST file name, and more. CONCLUSION: The study of emails to obtain digital evidence for crimes and incidents may be the subject of email forensics, a subfield of digital forensic science. It includes a thorough and methodical review of emails, paying close attention to details like message transmission paths, attachments and documents attached, IP addresses of servers and machines, etc. Written By: Sneha.A.K Volunteer Applied Forensic
Research Sciences |
