Scribd
Upload
6 views

email

The document discusses cyber forensics, specifically focusing on email forensics, which involves analyzing email content, headers, and metadata to gather evidence for legal investigations. It outlines the objectives of email forensics, the importance of email header analysis, and various authentication methods like DKIM and SPF to determine the legitimacy of emails. The conclusion emphasizes the significance of email headers in identifying suspicious emails and preventing malicious activities.

Uploaded by

Srinivas Kanakala
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
6 views

email

The document discusses cyber forensics, specifically focusing on email forensics, which involves analyzing email content, headers, and metadata to gather evidence for legal investigations. It outlines the objectives of email forensics, the importance of email header analysis, and various authentication methods like DKIM and SPF to determine the legitimacy of emails. The conclusion emphasizes the significance of email headers in identifying suspicious emails and preventing malicious activities.

Uploaded by

Srinivas Kanakala
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 64

FORENSIC ANALYSIS

OF EMAIL
BY
Dr.K.SRINIVAS
Cyber forensics
• Cyber forensics, also known as computer forensics or
digital forensics, is the process of collecting and
analyzing digital evidence. It's used to investigate
cyberattacks and other illegal activities.
• Email forensics involves investigating emails to gather
evidence for legal or investigative purposes. It focuses
on analyzing email content, headers, attachments, and
metadata to establish facts or track the origin of emails.
Anti-forensics, on the other hand, refers to techniques
used to evade or hinder forensic investigation efforts.
• The two parts of an email are the header and the body.
The body of the message contains the message itself,
while the header contains metadata such as the
message’s origin, delivery date, and destination
address. Analyzing email headers is one of the most
typical jobs in computer forensics, and it may be
beneficial if we have questions about the legitimacy of
an email sender.
• Objectives
• To determine whether or not the email is genuine.
• To look into incidents of cybercrime that include the
usage of emails.
• Email Header Analysis
• The analysis of the email header is the first step in
email forensics since it includes a wealth of information
about the email content. This examination includes both
the text body and the email header, which contains
information about the specific email. Email header
analysis aids in the detection of most email-related
crimes such as spear phishing, spamming, and email
spoofing. One can tell if an email is from a faked or
legitimate address by looking at the email headers.
• Full Explanation of Email Analysis
• Delivered To: The above email header field contains
email address of the intended recipient.
Received By: This field includes information about the
previous SMTP server you visited. The following details
are revealed:
• Server’s IP address
• SMTP ID of the visited server
• Data and time at which the email was received by the
SMTP server.
• X-Received: Some email parameters are not defined in
Internet Official Protocol Standards and are called non-
standard headers. These are generated by mail transfer
agents, such as Google’s SMTP server, which employ
the X-Received field to share non-standard information.
This field should not be overlooked while examining
email headers because it contains the following
information:
• IP address of the message-receiving servers
• SMTP ID of the server
• Data and time at which the email was received.
• ARC-Seal: This header contains a signature that includes
the ARC-Message-Signature and the information from
the ARC Authentication Results header.
• ARC-Message-Signature: This is a DKIM-like signature
and takes a snapshot of the message header
information. This includes to, from, subject and body.
• Received-SPF: The Sender Policy Framework (SPF) is a
security framework for email that verifies the sender.
Only once the sender’s identity has been verified does
the system forward the message. The following codes
are used:
• Pass: Email source is valid
• Soft fail: Fake source possible
• Neutral: Source validity difficult to ascertain
• None: SPF record not found
• Unknown: SPF check can’t be performed
• Error: An error occurring during SPF check
• ARC Authentication Results: This header contains email
authentication results like SPF, DKIM, and DMARC.
• DKIM, or Domain Keys Identified Mail, lets an
organization (or handler of the message) take
responsibility for a message that is in transit. DKIM
attaches a new domain name identifier to a message
and uses cryptographic techniques to validate
authorization for its presence. DKIM allows the receiver
to check that an email claimed to have come from a
specific domain was indeed authorized by the owner of
that domain. The following are the various tags of the
DKIM signature header:
• v: application version.
• a: algorithms used for encryption.
• c: algorithms used for canonicalization.
• s: selector record name used with the domain.
• h: signed header fields that are used in the signing algorithm to create
the hash in b= tag.
• bh: hash of the message body.
• b: hash data of the headers listed in the h= tag. It’s also called DKIM
signature.
• d: domain used with the selector record.
• So, we can say it is a valid email as DKIM, SPF, DMARC are passed,
which means email source is legit.
ANALYSIS OF FAKE EMAIL
• From the ARC-Authentication-Result, spf = softail means
fake source possible. The value of dmarc = fail suggest
that source isn’t legit.
• Return-Path :< [email protected]>
This field contains the email address where the
message is returned, in case it fails to reach the
intended recipient. This can easily happen if the sender
has used a wrong email address for the recipient.
• As we can notice in from: Softwarica college <
[email protected]>, the email claims
to have originated from Softwarica college. However,
the received header shows that the email indeed has
originated from emkei.cz, which is a publicly available
fake email service. Even though the email claims to be
from Softwarica College, the received header reveals
that it came from emkei.cz.
CONCLUSION
• To summarize, email headers include information such
as the sender’s IP address, internet service provider,
email client, and even location, as well as information
regarding the origin and course an email traveled
before arriving at its destination. The information might
be used to determine the validity of a suspicious email
or to prevent the sender from sending more emails. The
headers may also be used to identify header spoofing,
which is a strong sign that the email was sent with
malicious intent.

You might also like