Learn Email Investigation Techniques and Procedures

admin | December 9th, 2016 | Technology

Email has emerged as one of the most widely used communication application, used for exchange of data and to carry out data transactions. Due to an increased use of emails in the present scenario, its security has also become a major issue. Today emails are being used as the prime weapon to conduct a crime. Email phishing, frauds, sexual predation, sending spam emails, injection of viruses through emails are among the major crimes that the culprits carry out with the help of emails. Also different types of data theft through emails may adversely affect an organization’s operation or workaround of an individual itself.

Whenever a digital or cybercrime comes into existence, the first step that is taken is consulting data investigators. Digital investigators collect, preserve and analyze emails to investigate a crime. For an efficient and deep investigation of emails, a wide variety of tools and particular procedures are used. In the upcoming section we will shed some light on the procedures and various techniques that are employed for an efficient investigation of emails in a particular crime.

Procedure to Investigate an Email

In email forensics, the source and content of emails is considered as evidence. The process includes identifying the actual sender, recipient, date, time and location of mail transaction, intention of the sender, etc. It also involves investigation of metadata, keyword searching, port scanning, etc. various techniques that are used for email investigation are:

  1. Header Analysis OF Emails
    While investigating emails, we usually start from a scratch and analyze the headers of the mails. Headers contain information about the senders of the emails and also information about the path through which the emails have travelled. During the time of a crime, the email headers are spoofed in order to hide the identity of the sender. If the messages passing through SMTP server do not possess SMTP ideosyncracies, then they are faked.
  2. Link Analysis
    Link analysis is a graphical data analysis method to evaluate emails exchanged between users. Since a crime can involve multiple suspects, link analysis is used in order examine the link between the suspects. Since there can be thousands of mails that are linked between suspects, therefore it becomes a time consuming task that defeats the purpose of email investigation.
  3. Bait Tactics
    The basic aim of the bait tactics is to extract the IP address of the culprit. In this technique, an email with http:<img src>tag which has some image source at a computer that is monitored by investigators is sent to the email address that under investigation. Now the recipient is the one who originally was sender during the crime. When the email is opened, a log entry which contains the IP address of the recipient is recorded on the server which is hosting the image and the recipient is tracked. In a case when the recipient is using a proxy server, then the IP address of the proxy server is recorded by the investigators. The log of the proxy server is used to track the culprit. In case, the logs of the proxy server are not available, then a tactic email is sent to the culprit. The tactic email can either be a HTML page or an Embedded Java Applet.
  4. Investigation Of Server
    In the server investigation, server logs and copies of delivered messages between sender and receiver are investigated. The emails from the sender and receiver which are not recoverable are received or extracted from proxy or ISP servers, as the servers store a copy of all the emails after their respective delivery. In addition, SMTP servers, which store the details like credit card number and other data associated with a particular user, may be used to identify the owner of the particular email address.
  5. Investigating Network Device
    The source of an email message can also be investigated with the help of logs maintained by network devices such as routers, firewalls and switches. Owing to its complexity, this technique is only deployed in the absence of logs of ISP or proxy servers. Unavailability of server logs may occur due to various reasons like absence of chain of evidences.
  6. Fingerprints Of Sender Mailers
    The received header field proves to be helpful in the identification of software which handles email at server. Also different set of headers like “X-Mailers” can be used for the identification of the software which handles email at the client. These headers describe information about the applications and their servers used by the client to send emails.
  7. Software Embedded Identifiers
    The information about the creator of emails may be included in the custom headers or in form of MIME contents as a TNEF. The investigation may reveal names of PST files, MAC address, etc. of the computer, which was used to send emails.


Employing correct technique for investigating emails in a Cybercrime is an essential aspect in figuring out the culprit. Thus an efficient technique in a timely fashion helps proving a culprit guilty in the lawsuit.