Almost everyone uses at
least one or more web-based email client account for communication with one
user to another. Increased usage of web based email client leads to the rise in
the cybercrime rate drastically involving cases that require forensic email
analysis of the webmail account. It is observed that introduction of virtual
way of communication provided by internet has made our life lot easier and less
complex by taking us to new level of effectiveness, productivity & connectivity.
We use World Wide Web for
several purposes like emailing purpose, exchanging documents, retrieving
information, contacting with friends and families through voice chat or Video
calling etc. Though it has bought multiple benefits in everyone’s life, it is
at the same time has weak point that may affect one’s life through cybercrimes.
As most of the cybercrime cases involve usage of web-based email client, webmail
forensics is the field that needs to be acknowledged.
What is Webmail Mailbox Analysis?
It is the way to
collect any legal evidence that can later be shown as proof in court of law by
examining source and content of emails of any web-based client. Some commonly
used email clients are Google’s Gmail, Microsoft’s Outlook.com, Yahoo mail etc.
Many criminals make use of web-based clients for performing any misfortunate cyber-crimes.
As information is exchanged from one email-client account to other, the email will
contain critical information used by the criminal, which will be analyzed by
the investigation team to collect evidence against criminal.
How Webmail Forensics Analysis helps Investigators?
The main motive of the
investigation team is to extract high level of information from the messages
received or sent regardless of any web-based email client used. Forensics
procedure involves stages like collection, analysis, preservation, and
reporting. The first stage in investigations consists of collecting information
from the email message. An email has its Email Header for every mail
transaction on which analysis can be done to extract information. Let us
discuss how we can use Email Header details for forensics purpose.
Extracting information using Email Header
Email Header can be
analyzed by extracting header information of suspicious email and going through
all the details. The procedure steps to scrutinize the email header are as
follows:
Extract header data and save it in
another file
i)
Login to the particular web-based email
client
ii)
Click to open the suspicious mail for
which header details are required
iii)
Once the mail is opened, click on right
side menu to check the option.
iv)
Options to view header details are different
in multiple email clients.
i.e. For Gmail, search for tab ‘Show
Original’ and click it to view all the
details and save it in a text file.
For Yahoo mail, search for tab ‘View
Full Header’ and click it to view and save it in text file.
For Outlook.com mail, search for tab ‘View Message
Source’ and save it in text file.
v) Finally, during webmail forensics
analysis the entire details of Email Header can be analyzed.
Detailed
examination of all the header information
The
below screenshot is the email header for a web based email client. The details
will be discussed as follows:
- Delivered-To: it shows the email address where the mail will be delivered.
- Received: First ‘Received’ defines the IP address of the sender’s mail server and the time at which the message reached the Receiver’s server.
- X-Received: It defines the IP address of the mail server through which the email passes from sender to receiver.
- Return-Path: Stores the address from where the mail was sent.
- Received: Bottom ’Received’ defines the IP address of the sender’s mail server and time when the message was received by server from sender’s email client.
- Received-SPF: Sender Policy Framework displays the type of email service used for sending mail. Using id, it also examines whether the mail is legitimate or not for analysis. It prevents sender address forgery.
- DKIM Signature: Domain Keys Identification Mail (DKIM) gives cryptographic signature to header and body of message. It checks authenticity of sender and content of message.
- Message-ID: it represents unique message identification string created while it is sent.
- MIME-Version: While conducting webmail forensics analysis; Multipurpose internet Mail Extensions defines internet standard that extends format of email message. Information can be extracted from MIME Version.
- Content-Type: it displays the format of message such as html, plain text, xml.
- From: it gives the name of sender. It is not much reliable as it can be easily forged.
- To: It gives the name of the receiver.
- Subject: Represents the subject of the message being sent.
Collecting information for
forensics
We
will collect the data we have retrieved using header of the email of the
suspect’s account and compile all the information all together. The combined
data will be used to start the forensic analysis of webmail. The chosen mails
from the suspect’s account will be analyzed similarly from the header details
file. From the collected header details file, we can extract several important
information related to the message like citations, sender details, receiver
details, IP address, MIME version, DKIM signature, date etc.
The
details should be interrelated in order to attain the exact information. The
next stage of analysis will be started after collection of evidence.
Webmail forensics
analysis plays a very important role in the field of digital forensics for
investigating the email of the suspect’s account. Though several methods have
been established to investigate the webmail and its components, some may not
work in spoofed emails or deleted emails. The Forensic investigation tool must
meet all the standards of investigation that involves extraction of evidence
from the webmail so that evidence can be used for forensic investigation
purpose against the suspect.
No comments:
Post a Comment