Introduction to the forensic examination of E-Mail

[Email Forensics][1]
Email Forensics

This will be Part I in my two-part E-Mail forensics series exclusive to securekomodo.net

Most people these days already have a basic understanding of what email is, or how to use it. Simply type up your message and hit “Send” and like magic, the message is delivered electronically to the recipient you intended. But what is going on behind the scenes may still be widely unknown. Gaining a basic understanding on the underlying technologies used in email communication can be a valuable advantage in any type of cyber crime investigation. This is especially true in such a connected society with the evolution of mobile devices, PDAs, Laptops and more sending and receiving email on a 24×7 basis.

Email can originate from many different types of devices, but the basic communication involved is the same. A user will compose the message on his/her device and then sends it off to some sort of mail server. The mail server acts like an electronic post office, that organizes, receives, and sends electronic mail.

A typical email journey is shown in a very basic visual diagram below:

Email Diagram

Diagram of an Email’s Journey

  1. Employee (on left) composes email and hits “Send”
  2. The first e-mail server located in the senders private network receives the message.
  3. The e-mail server then relays the message through the public network to the receiving e-mail server.
  4. The final email server receives the message and relays it to the recipient “Uncle Bob” over its own private network.

All the message travels through the communication network shown above, information is logged into a section of information called the e-mail header. The journey can be long or short, and each time the message passes through an e-mail server, information is logged into the e-mail header, it can sometimes be referred to as ESI (Electronicly Stored Information). It is with this ESI logging information, that a forensic examiner can analyze the email communication for use in an investigation. Lets take a look at some basic components of an email.

Email

This is what a typical email client looks like when composing a message, there are text fields where we can specify who the message is intended for, the subject, any attachments, and the body of the message. However, not all information about this e-mail is displayed by the e-mail client. In order to view detailed information about the journey of an e-mail, we must look at the detailed header information below.

12)  X-Message-Info: JGTYoYF78jEv6iDU7aTDV/xX2xdjzKcH
11)  Received: from web11603.mail.yahoo.com ([216.136.172.55]) by mc4­
     f4 with Microsoft SMTPSVC(5.0.2195.5600);
     Mon, 8 Sep 2003 18:53:07 -0700
10)  Message-ID: 20030909015303.27404.qmail@web11603.mail.yahoo.com
9)   Received: from [165.247.94.223] by web11603.mail.yahoo.com via
     HTTP; Mon, 08 Sep 2003 18:53:03 PDT
8)   Date: Mon, 8 Sep 2003 18:53:03 -0700 (PDT)
7)   From: John Sender <sendersname2003@yahoo.com>
6)   Subject: The Plan!
5)   To: RecipientName_1@hotmail.com
4)   MIME-Version: 1.0
     Content-Type: multipart/mixed; boundary=“0-2041413029­
     1063072383=:26811”
3)   Return-Path: sendersname2003@yahoo.com
2)   X-OriginalArrivalTime: 09 Sep 2003 01:53:07.0873 (UTC)
     FILETIME=[1DBDB910:01C37675]
1)   --0-2041413029-1063072383=:26811
     Content-Type: multipart/alternative; boundary="0-871459572­
     1063072383=:26811"
     --0-871459572-1063072383=:26811
     Content-Type: text/plain; charset=us-ascii
     Received the package. Meet me at the boat dock.
     See attached map and account numbers

The logged information above can help assist with determining many useful bits of information, lets break it down and examine the most important parts.

12) X-Message-Info: JGTYoYF78jEv6iDU7aTDV/xX2xdjzKcH

Typically, X-Message info is not a requirement for the delivery of an e-mail. But different ISPs place X information like this for various reasons. An investigator must determine the usefulness of the information by contacting the ISP.

11) Received: from web11603.mail.yahoo.com ([216.136.172.55]) by mc4­f4 with Microsoft SMTPSVC(5.0.2195.5600);Mon, 8 Sep 2003 18:53:07 -0700

The “Received” line is placed by a mail server that receives the message. It identifies the mail server name and IP address typically and creates a unique timestamp that specifies the timezone of where the message was received.

10) Message-ID: 20030909015303.27404.qmail@web11603.mail.yahoo.com

This is a unique identifier that is typically assigned by the first mail server the message was sent to. It can help assist in linking the message to the sender if appropriate logs are maintained.

9) Received: from [165.247.94.223] by web11603.mail.yahoo.com via HTTP; Mon, 08 Sep 2003 18:53:03 PDT

The first received line from the bottom is the first mail server the message was sent to, this is the mail server that created the unique message-ID. It includes information about the server name, IP address, date, and time zone of the mail server. It is important to note that time is originated from the mail server and may not be accurate.

8) Date: Mon, 8 Sep 2003 18:53:03 -0700 (PDT)

This is the date the message was sent. This information is derived from the senders computer and also may not be accurate. If the time/date of the senders machine are not accurate, then that would mean this in the message would also not be accurate.

7) From: John Sender

This line displays the sender of the email. It is typically configured by the senders e-mail client and it is important to note that it can be spoofed and may often be inaccurate.

6) Subject: The Plan!

This is the subject information that is entered by the sender.

5) To: RecipientName_1@hotmail.com

This is the recipient of the message and is entered by the sender.

4) MIME-Version: 1.0 Content-Type: multipart/mixed; boundary=“0-2041413029­1063072383=:26811”

This is encoding information that helps the recipients e-mail client interpret the content of the message.

3) Return-Path: sendersname2003@yahoo.com

This is usually information that is configured by the sender in their e-mail client and may not be accurate or reliable.

2) X-OriginalArrivalTime: 09 Sep 2003 01:53:07.0873 (UTC) FILETIME=[1DBDB910:01C37675]

Typically, X-Message info is not a requirement for the delivery of an e-mail. But different ISPs place X information like this for various reasons. An investigator must determine the usefulness of the information by contacting the ISP.

1) –0-2041413029-1063072383=:26811

This is e-mail client information that is not typically useful in an investigation.

The actual contents in the body of the message, “Meet me at the boat dock.” must be analyzed using traditional methods of criminal investigation.

If you are not a forensic examiner, why is this information still relevant? Well, most of the time, an average person will never have to know anything about it. That is unless you are the curious “geeky” type that might want to view routing information about a recent spam attempt or phishing scam on their e-mail account. Just this morning I quickly reviewed the e-mail header of a spam message trying to get me to click on a link to “Unsubscribe” from “Beautiful Lavender Blooms”. After careful analysis, I was able to determine that the message was indeed SPAM (Duh!) and sourced from a IP Address in Belarus, Amsterdam – spoofed to a Chinese IP Address. By looking at the Received By: line in the header, I can take the IP address and put it into http://ip-lookup.net/index.php where I can view information about the Internet Service Provider that was used, and contact information to dig deeper into the investigation. Cool huh!

Now, the information listed here is only a introduction to forensic examination of e-mails and there is still much to be discussed before we dig into a cyber-crime investigation involving e-mail communication. I will be creating a Part II of the E-Mail forensics series that will dig deep into more advanced techniques and methodologies used in the forensic examination of e-mail messages.

For now, I hope you enjoyed this introduction and stay tuned for similar posts in the near future.

-Bryan

Tags// ,