Investigator using a desk computer while talking on the phone during email forensics investigation Investigator using a desk computer while talking on the phone during email forensics investigation

Email Forensics & Header Analysis (Uncovering Phishing Threats)

Have you ever received an email that seemed suspicious, or worry about getting hacked by interacting with an email? With the rise of phishing attacks, data breaches leaking email addresses, and novel exploits, it’s more important to be able to identify and investigate potentially malicious emails. Luckily, thanks to email forensics and header analysis, you can uncover phishing threats and protect yourself and your organization.

Email forensics is the process of identifying, analyzing, and preserving email-related evidence. Generally, this technique is used to investigate and recover evidence in cybercrime cases or other illegal activities. It involves techniques like header analysis, metadata extraction, and email tracing.

While many of us may have heard of email forensics, few of us know what it entails or how it can be used to uncover valuable evidence. Let’s take a closer look and discover what makes email forensics such an essential skill for today’s investigators.

Investigator using a desk computer while talking on the phone during email forensics investigation

What Is Email Forensics

Email forensics is a specialized field of computer forensics that deals with the investigation of emails to gather digital evidence related to cyber-security attacks and cyber incidents.

In simple terms, it is like being a detective who investigates email messages to find clues and information related to a crime.

During an email forensics investigation, various aspects of the email are analyzed such as message IDs, transmission routes, attached files and documents, and IP addresses of servers and computers.

The objective of the investigation is to collect digital evidence in a forensically sound manner, which can then be used to identify the culprits and crack the crime. In other words, email forensics helps to provide an accurate and reliable account of what happened in a particular cyber incident, allowing organizations (and individuals) to take appropriate actions to prevent future attacks.

Applications

Some of the most common applications of this type of computer forensics include:

  1. Incident Response: Email forensics is often used in incident response to identify the source of a security breach or cyber-attack involving emails. It helps organizations to understand the extent of the damage caused and to take appropriate actions to prevent future attacks.
  2. Intellectual Property Theft: Email forensics can be a viral component in investigating cases of intellectual property theft, where an employee or a third party may have stolen sensitive information through emails.
  3. Harassment and Bullying: Email forensics is also used to investigate cases of harassment and bullying through emails, where the source of the emails needs to be identified and appropriate action taken.
  4. Fraud Investigations: Digital forensic analysis is typically part of fraud investigation, where emails were used as a means of communication to perpetrate fraudulent activities.

Investigators have several legal considerations when conducting digital forensics, including compliance with several layers of laws and regulations related to data privacy, electronic communication, and evidence handling.

For instance, email forensics investigators must ensure that they obtain proper legal authorization to access and analyze email data, and they must comply with relevant laws and regulations related to the handling of electronic evidence. Failure to comply with legal requirements can lead to excluding evidence in court, and may also result in legal liabilities and penalties.

Ethics

Ethical considerations in email forensics include issues related to privacy, confidentiality, and data protection.

Email forensic investigators must ensure that they respect the privacy of individuals whose emails are being analyzed and protect confidential information from unauthorized disclosure. They must also ensure that the data is protected from unauthorized access or alteration.

Additionally, email forensics investigators must adhere to ethical standards and principles, such as the Association of Digital Forensics, Security, and Law (ADFSL), which outlines principles such as integrity, objectivity, confidentiality, and professional competence.

Many people think opening an anonymous email account can bypass tracking. It turns out that email forensics can be a powerful tool for investigators in identifying anonymous emails.

Law enforcement it workers in server room talking about email forensics

Can Police Trace Anonymous Emails Through Forensic Analysis?

Emails can be an effective means of communication, but they can also be used for malicious purposes, such as sending threats, phishing scams, or other illegal activities. In some cases, the sender may try to hide their identity by opening an anonymous email account, making it difficult for authorities to track them down.

However, it is possible for police to trace anonymous emails through forensic analysis.

Methods Used to Trace Anonymous Emails

When an email is sent, it leaves a digital trail that can be traced back to the sender.

Law enforcement agencies may use tools to examine the email header, which contains information such as the sender’s IP address, email client, and other technical details.

This header information can lead police to contact mail providers and, via legal requests for information, can obtain tracking information such as logs, message content, and network information to guide their investigation.

Law enforcement agencies may employ other investigative techniques, such as social engineering and undercover operations, to identify the sender alongside technical capabilities.

It’s important to note that the effectiveness of forensic analysis may depend on a variety of factors, such as the sophistication of the sender’s methods, the availability of resources, and other legal considerations such as jurisdiction and so-called “need to know”.

Limitations and Challenges in Tracing Anonymous Emails

Despite advanced technical capabilities, there are several limitations and challenges associated with tracing anonymous emails.

For example, the effectiveness of forensic analysis may depend on the sophistication of the sender’s methods. Sophisticated cybercriminals may use advanced techniques to hide their identity, such as using multiple VPNs or proxy servers.

Additionally, authorities may face legal or jurisdictional challenges, particularly when dealing with international borders. The high cost of forensic analysis and the limited availability of resources may constrain the investigation.

It’s also worth noting that there are legal considerations associated with tracing anonymous emails.

Investigators must obtain a court order or a warrant before accessing the contents of the email or other related information. Additionally, law enforcement agencies must comply with data protection regulations and respect individuals’ privacy rights.

If onward litigation is required based on email tracking, investigators must obtain email evidence that preserves the admissibility in court proceedings.

Even if you’re not involved in legal proceedings around tracking anonymous emails, it’s worth knowing some basics around tracking emails.

Man at desk with computers performing email header analysis

Email Header Analysis for Phishing Investigation & Prevention

First, phishing is a type of social engineering attack where an attacker impersonates a legitimate entity or person, typically over email, and attempts to trick the recipient into sharing sensitive information or downloading malware.

Email header analysis can be a helpful technique in investigating and preventing phishing attacks.

Email headers contain information about the email’s origin, destination, routing, and delivery. They are crucial in identifying the source and authenticity of an email.

Analyzing email headers involves examining the various fields in the email header, such as the sender’s IP address, domain, and email client. This process can help identify any anomalies or inconsistencies that may indicate a phishing attempt. For instance, a suspicious email header may contain a forged sender’s address, unusual email routing, or unexpected email servers.

To conduct email header analysis, one can use various techniques such as examining the email’s raw source code, using email header analyzer tools, or checking email authentication protocols such as SPF, DKIM, and DMARC.

Identifying suspicious email headers involves looking out for certain indicators, such as the use of uncommon email servers or domains, the presence of spelling or grammatical errors, or unexpected variations in the sender’s email address.

The effects of email header analysis on curbing phishing attempts are significant. It enables email recipients to verify the legitimacy of an email before taking any action, such as clicking on a link or downloading an attachment. Moreover, email header analysis can help identify and block malicious email sources, preventing further phishing attempts.

So, what do you do with this information? Your first stop to should now be to inspect the headers of suspicious email opening attachments or clicking links, particularly if it is from an unknown or “odd looking” senders (more on this later).

Moreover, pay attention to the email authentication protocols such as SPF, DKIM, and DMARC. Emails that pass these protocols help legitimize and email, but should not a guaranteed confirmation that an email is safe.

Now that you understand a bit about email header analysis, naturally you may want to look for an email forensics tool that will help decode suspect emails.

Concept art businessman touching virtual message spam and phishing alerts

How to Use Email Header Analyzer Tools

There’s no shortage of applications specifically designed to extract and analyze the metadata information contained in email headers. This information provides insights into the origin and path of an email, allowing users to identify potential spam or phishing attempts, track email delivery, and troubleshoot email delivery issues.

Popular email analysis tools include

  • MX Toolbox will analyze the domain (second part after the @ symbol) and to check for its validity. Their SuperTool can run an SMTP test to give you additional reports like a blacklist checking and whois owner lookup.
  • Mail Header Analyzer will translate the IP addresses from pasted email header information into the likely sender of the message, including an approximate location of the sender’s server.
  • Gaijin.at is an email header analyzer that can parse a raw header information to help make sense of the seemingly random set of fields

For novice users, ChatGPT can be a helpful tool to analyze email headers. ChatGPT can provide explanations and guidance on the various components of email headers and help users interpret the information provided by the analyzer tools. By inputting an email header into ChatGPT, users can receive actionable advice on how to address potential issues or identify suspicious emails.

AI has been in use for email header analysis and forensics, enabling more advanced analysis and faster detection of potential threats. For instance, AI algorithms can detect anomalies or suspicious patterns in email headers, which can indicate a phishing attempt or a compromised email account. This type of tool is already deployed in major emails providers like Gmail, Apple mail, and Microsoft Outlook. Mail that has automatically been filtered into your Spam or Junk folder likely includes a reason which was derived from an AI analysis.

But, there’s even an easier way to identify phishing attempts and track email sources. I use this lower-tech method daily.

Odd-Looking Senders & Your “To” Address

As promised, there are a couple of ways to track email sources but require an upfront change to how you use email.

Email Forensics Using Aliasing Or Forwarding

I create new SimpleLogin email addresses for each company I do business with. This allows me to isolate when a company has had a data breach or my email is sold and abused.

This Just Happened: I recently started receiving emails, supposedly from Coinbase, to my email address designated for UnstoppableDomains. Using a unique To address gave me a solid indicator that these emails are likely part of a phishing attempt. The fact that I am receiving emails from an odd-looking sender, using an email address that should only be known by UnstoppableDomains, is a clear red flag.

By paying attention and carefully reading the From and To address of each suspicious email,

AnonAddy and MySudo are alternatives to SimpleLogin that provide the same sort of service, but there’s even a free method.

Free Email Tagging

As an alternative to using a forwarding service, you can start use plus tagging when providing your email address.

Plus tagging involves adding a plus sign (+) and a unique identifier to the username part of your email address before the at symbol (@). For instance, you can tag your email address as [email protected] as your username for Amazon.

By using plus tagging, you can create different tags for different services or websites you sign up for, making it easier to identify which service or website may have leaked your email address if you start receiving spam emails to a particular tag. This can help you take appropriate actions, such as revoking access to the service or website and changing your password.

While plus tagging may not provide the same level of privacy and security as SimpleLogin, it is a useful technique for reducing the amount of spam you receive and tracking down the source of unwanted emails.

You have just explored a tiny fraction of the vast world of email forensics, header analysis, and phishing prevention. With the increasing sophistication of cyber threats, it is essential to equip yourself with the knowledge and skills necessary to protect your organization and yourself from potential harm.

In fact, here are some common questions and answers to expand your understanding of information security and investigations. Remember, staying informed and proactive is the key to staying safe in the ever-evolving digital landscape.

Other Questions You Might Have

What are the benefits of using AI technology in email forensics investigations?

The benefits of using AI technology in email forensics investigations include faster analysis of large amounts of data, improved accuracy in identifying potential threats and anomalies, and the ability to detect patterns and trends that may be missed by human investigators.

What are some limitations of email header analysis for investigating phishing attacks?

Some limitations of email header analysis for investigating phishing attacks include the sophistication of the attacker’s methods, legal and jurisdictional challenges, and the high cost of forensic analysis and limited availability of resources.

Can email header analysis tools prevent all phishing attacks?

No, email header analysis tools cannot prevent all phishing attacks. While email header analysis can help identify and block malicious email sources, cybercriminals can use sophisticated techniques to bypass email authentication protocols and disguise their email headers. Therefore, it is essential to combine email header analysis with other security measures such as employee training, two-factor authentication, and anti-phishing software.

What is the process for preserving email evidence in email forensics investigations?

The process for preserving email evidence in email forensics investigations involves ensuring the integrity of the data by creating forensic copies of the email data, ensuring the chain of custody, and using forensically sound methods to extract the evidence.

Can email forensics be used to recover deleted emails?

Yes, email forensics can be used to recover deleted emails. However, the effectiveness of the recovery process may depend on various factors, such as the duration of time since the email was deleted, the storage medium used, and the data retention policies of the email service provider.