Episode Details

Back to Episodes
Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation

Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation

Published 5 months, 2 weeks ago
Description
In this lesson, you’ll learn about:
  • How email systems work from a forensic perspective
  • Where and how email evidence can be recovered
  • How headers, protocols, and timestamps help analysts trace message origins
  • Legal considerations affecting email investigations
  • Tools used in forensic email analysis
Email Analysis & Forensic Investigation Forensic Locations and Evidence Recovery Email evidence can reside in multiple places, so investigators must consider:
  • Client/Suspect Machine: Local email clients, temporary files, swap space, browser cache, slack space.
  • Mail Server: Messages stored during transit or retained copies.
  • Recipient’s System: Evidence often found in the receiver’s mailbox or client.
  • Intermediate Entities: ISPs may also hold relevant artifacts.
Effective investigation requires understanding email systems, storage behaviors, and how different clients manage local vs. server-side data. Email Structure & Protocols Email messages consist of two main components: Header
  • Contains trace information, routing data, and metadata.
  • Fields are generated by the sender, their client, and each server the message passes through.
  • Crucial for tracking the message back to its true point of origin.
Body
  • The actual message content, which may include attachments.
Protocols
  • SMTP (port 25) – responsible for sending mail.
  • POP3 (port 110) – retrieves email, often removing it from the server.
  • IMAP – keeps messages stored server-side for synchronization.
  • Ports may be customized, so correct port filtering is essential.
Encoding
  • MIME – standard encoding for transmitting messages and attachments across networks.
  • S/MIME & PGP – used for secure, encrypted email communications.
Message Storage & Client Forensics Email storage varies depending on configuration:
  • Stored only on the server
  • Stored on both client and server
  • Deleted from the server after retrieval by client settings
Important points:
  • Client settings (like in Outlook) may be overridden by the server.
  • Browser-based clients store less structured email data but may leave:
    • Cached message views
    • Temporary HTML copies
    • Thumbnails
Outlook & PST Files
  • Outlook stores email data in PST files, which are typically the largest and most valuable evidence sources.
Email Tracing & Header Analysis Technical headers provide the primary means to trace an email’s path. How to Trace an Email
  • Analyze the Received: header fields.
  • Begin from the bottom entry (earliest hop).
  • Move upward to reconstruct the route.
  • Evaluate timestamps and time zone offsets carefully to avoid misinterpreting the message flow.
Key Considerations
  • Some header fields can be spoofed, but not all.
  • Tools for verification include:
    • Sam Spade
    • DNS lookup tools
    • WHOIS
BCC Field
  • If the BCC field appears in a header, it simply confirms a blind copy was sent, though the recipient remains hidden.
Legal & Investigative Factors The level of legal protection depends on message age and state:
  • Unopened emails (< 90 days) → Highly protected, often requiring a warrant.
  • Opened emails → Lower level of protection.
  • Unopened emails (> 90 days) → Reduced protection.
  • Emails (> 180 d
Listen Now

Love PodBriefly?

If you like Podbriefly.com, please consider donating to support the ongoing development.

Support Us