Sign up to save your podcasts
Or
Share Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Course 13 - Network Forensics | Episode 8: Email Analysis and Forensic Investigation
In this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- How email systems work from a forensic perspective
- Where and how email evidence can be recovered
- How headers, protocols, and timestamps help analysts trace message origins
- Legal considerations affecting email investigations
- Tools used in forensic email analysis
- Client/Suspect Machine: Local email clients, temporary files, swap space, browser cache, slack space.
- Mail Server: Messages stored during transit or retained copies.
- Recipient’s System: Evidence often found in the receiver’s mailbox or client.
- Intermediate Entities: ISPs may also hold relevant artifacts.
- Contains trace information, routing data, and metadata.
- Fields are generated by the sender, their client, and each server the message passes through.
- Crucial for tracking the message back to its true point of origin.
- The actual message content, which may include attachments.
- SMTP (port 25) – responsible for sending mail.
- POP3 (port 110) – retrieves email, often removing it from the server.
- IMAP – keeps messages stored server-side for synchronization.
- Ports may be customized, so correct port filtering is essential.
- MIME – standard encoding for transmitting messages and attachments across networks.
- S/MIME & PGP – used for secure, encrypted email communications.
- Stored only on the server
- Stored on both client and server
- Deleted from the server after retrieval by client settings
- Client settings (like in Outlook) may be overridden by the server.
- Browser-based clients store less structured email data but may leave:
- Cached message views
- Temporary HTML copies
- Thumbnails
- Outlook stores email data in PST files, which are typically the largest and most valuable evidence sources.
- Analyze the Received: header fields.
- Begin from the bottom entry (earliest hop).
- Move upward to reconstruct the route.
- Evaluate timestamps and time zone offsets carefully to avoid misinterpreting the message flow.
- Some header fields can be spoofed, but not all.
- Tools for verification include:
- Sam Spade
- DNS lookup tools
- WHOIS
- If the BCC field appears in a header, it simply confirms a blind copy was sent, though the recipient remains hidden.
- Unopened emails (< 90 days) → Highly protected, often requiring a warrant.
- Opened emails → Lower level of protection.
- Unopened emails (> 90 days) → Reduced protection.
- Emails (> 180 days) → Minimal protection regardless of status.
- FTK (AccessData)
- EnCase (Guidance Software)
- Both support PST extraction and email analysis.
- Wireshark
- Microsoft Network Monitor
- TCPdump
- TShark
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
View all episodes
By CyberCode AcademyIn this lesson, you’ll learn about:
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy
- How email systems work from a forensic perspective
- Where and how email evidence can be recovered
- How headers, protocols, and timestamps help analysts trace message origins
- Legal considerations affecting email investigations
- Tools used in forensic email analysis
- Client/Suspect Machine: Local email clients, temporary files, swap space, browser cache, slack space.
- Mail Server: Messages stored during transit or retained copies.
- Recipient’s System: Evidence often found in the receiver’s mailbox or client.
- Intermediate Entities: ISPs may also hold relevant artifacts.
- Contains trace information, routing data, and metadata.
- Fields are generated by the sender, their client, and each server the message passes through.
- Crucial for tracking the message back to its true point of origin.
- The actual message content, which may include attachments.
- SMTP (port 25) – responsible for sending mail.
- POP3 (port 110) – retrieves email, often removing it from the server.
- IMAP – keeps messages stored server-side for synchronization.
- Ports may be customized, so correct port filtering is essential.
- MIME – standard encoding for transmitting messages and attachments across networks.
- S/MIME & PGP – used for secure, encrypted email communications.
- Stored only on the server
- Stored on both client and server
- Deleted from the server after retrieval by client settings
- Client settings (like in Outlook) may be overridden by the server.
- Browser-based clients store less structured email data but may leave:
- Cached message views
- Temporary HTML copies
- Thumbnails
- Outlook stores email data in PST files, which are typically the largest and most valuable evidence sources.
- Analyze the Received: header fields.
- Begin from the bottom entry (earliest hop).
- Move upward to reconstruct the route.
- Evaluate timestamps and time zone offsets carefully to avoid misinterpreting the message flow.
- Some header fields can be spoofed, but not all.
- Tools for verification include:
- Sam Spade
- DNS lookup tools
- WHOIS
- If the BCC field appears in a header, it simply confirms a blind copy was sent, though the recipient remains hidden.
- Unopened emails (< 90 days) → Highly protected, often requiring a warrant.
- Opened emails → Lower level of protection.
- Unopened emails (> 90 days) → Reduced protection.
- Emails (> 180 days) → Minimal protection regardless of status.
- FTK (AccessData)
- EnCase (Guidance Software)
- Both support PST extraction and email analysis.
- Wireshark
- Microsoft Network Monitor
- TCPdump
- TShark
You can listen and download our episodes for free on more than 10 different platforms:
https://linktr.ee/cybercode_academy