TECHNIQUES AND TOOLS FOR FORENSIC INVESTIGATION OF E-MAIL
M. Tariq Banday
P. G. Department of Electronics and Instrumentation Technology University of Kashmir, Srinagar - 6, India firstname.lastname@example.org
E-mail has emerged as the most important application on Internet for communication of messages, delivery of documents and carrying out of transactions and is used not only from computers but many other electronic gadgets like mobile phones. Over a period of year’s e-mail protocols have been secured through several security extensions and producers, however, cybercriminals continue to misuse it for illegitimate purposes by sending spam, phishing e-mails, distributing child pornography, and hate emails besides propagating viruses, worms, hoaxes and Trojan horses. Further, Internet infrastructure misuse through denial of service, waste of storage space and computational resources are costing every Internet user directly or indirectly. It is thus essential to identify and eliminate users and machines misusing e-mail service. E-mail forensic analysis is used to study the source and content of e-mail message as evidence, identifying the actual sender, recipient and date and time it was sent, etc. to collect credible evidence to bring criminals to justice. This paper is an attempt to illustrate e-mail architecture from forensics perspective. It describes roles and responsibilities of different e-mail actors and components, itemizes meta-data contained in e-mail headers, and lists protocols and ports used in it. It further describes various tools and techniques currently employed to carry out forensic investigation of an e-mail message.
E-mail Forensics; E-mail Headers; E-mail Security; Header Analysis; E-mail Architecture
E-mail system comprises of various hardware and software components that include sender’s client and server computers and receiver’s client and server computers with required software and services installed on each. Besides these, it uses various systems and services of the Internet. The sending and receiving servers are always connected to the Internet but the sender’s and receiver’s client connects to the Internet as and when required. An e-mail communication between a sender ‘Alice’ having e-mail address ‘email@example.com’ and recipient ‘Bob’ having e-mail address ‘firstname.lastname@example.org’ is shown in figure 1. ‘Alice’ composes an e-mail message on her computer called client for ‘Bob’ and sends it to her sending server ‘smtp.a.org’ using SMTP protocol. Sending server performs a lookup for the mail exchange record of receiving server ‘b.org’ through Domain Name System (DNS) protocol on DNS server  ‘dns.b.org’. The DNS server responds with the highest priority mail exchange server ‘mx.b.org’ for the domain ‘b.org’. Sending server establishes SMTP connection with the receiving server and delivers the e-mail message to the mailbox of ‘Bob’ on the receiving server. ‘Bob’ downloads the message from his mailbox on receiving server to local mailbox on his client computer using POP3  or IMAP  protocols. Optionally, ‘Bob’ can also read the message stored in his server mailbox without downloading it to the local mailbox by using a Webmail program.
DOI : 10.5121/ijnsa.2011.3617
International Journal of Network Security & Its Applications (IJNSA), Vol.3, No.6, November 2011
Figure 1: E-mail communication between a sender ‘Alice’ and recipient ‘Bob’
2. E-MAIL ACTORS, ROLES AND RESPONSIBILITIES
E-mail is a highly distributed service involving several actors that play different roles to accomplish end-to-end mail exchange . These actors fall under “User Actors”, “Message Handling Service (MHS) Actors” and “ADministrative Management Domain (ADMD) Actors” groups. User Actors are people, organizations or processes that serve as sources or sinks of messages. They can generate,...