Advanced Electronic Discovery

Crimes Involving Email

There are a great number of crimes that involve email. There are even many noncomputer related crimes that involve extracting email messages. Different types of devices can generate email messages. From desktop computers, laptops, smartphones and PDAs.

Emails messages are generally sent from a users computer and then sent to a mail server. At this point, the users computer is finished with the process and the mail server will deliver the message. It’s important to know that depending on the network environment, mail servers can be located anywhere in the world. Mail servers can be internal to a corporate or local to a computer or sitting in a large data warehouse. Mail servers forward the message through an organizations network and/or the Internet to the recipients mail server. The message then resides on this second mail server and is available for the recipient to access. A software program known as an email client, such as Microsoft Outlook, is used to read the email message. A forensic investigator can find email message may reveal information such as the following:

• Email messages related to an investigation
• Email addresses related to an investigation
• Sender and recipient information
• Information about individuals copied on the email message
• Date and Time Information
• Attachments
• Internet Protocol (IP) addresses
  

Email messages can be stored on a number of devices as well. Devices that can store email messages include netbook, desktop PCs, laptops, USB storage devices, smartphones, servers, and external hard drives. As a forensic investigator, you should train first responders to look for these devices and gather these devices as evidence.

Emails have what are known as email headers. These headers of an email message provide a great deal of information to you as a forensic investigator. The standard for email format including the header is RFC 2822. IT is important that all email uses the same format. That is why you can send an email from outlook on a Windows 8 PC and the recipient can read it from a Hotmail account on an Android phone that runs Linux. This is because all email programs use the same email format, regardless of what operating system they run on.

Email message header includes the following information:

• From: the email address and possible name of the sender.
• Date: the local time and date when the message was written.
• Message ID: an automatically generated field.
• In-reply-to: the message id of the message that this is a reply to; also used to link related messages together.
• Subject: a brief summary of the topic of the message.
• To: the email address and name of the recipient(s).
• Cc: carbon copy; a copy is sent to secondary recipients.
• Bcc: blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients.
• Content-type: Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extension (MIME) type.
• Precedence: Commonly with values “bulk”, “junk” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of the mailing list.
• Received: Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first)
• Reference: message id of the message to which this is a reply.
• Reply-to: address that should be used to reply to the message.
• Sender: address of the actual sender acting on behalf of the author listed in the from field.
  

It’s important to know that there is a wealth of information available within an email header, therefore, a thorough examination is very critical to an investigation.

Email operates on three protocols. These protocols are Simple Mail Transfer Protocol (SMTP), Post Office Protocol version 3 (POP3) and Internet Message Access Protocol (IMAP).

It’s important to know that emails can be faked. Criminals may fake their email messages and use email programs that strip the message header from an email before it gets delivered to the recipient. This is to prevent the information found within an email header from being traced back to the hacker. Hackers may also set up bogus or temporary email accounts to send out these malicious email messages as well. Free email accounts are easy to set up from a number of services such as Yahoo!, Gmail, Hotmail, and several others. Each of these free services allows a user to create their account using any desired and available name.

Email messages can be spoofed. Spoofing involves making an email message appear to come from someone or someplace other than the real sender or location. The email sender uses a software tool that is readily available on the Internet to cut out his or her IP address and replace it with someone else’s IP address. However, the first machine to receive the spoofed message records the machine’s real IP address. Thus, the header contains both the faked IP and the real IP address. Unless, of course, the hacker is clever enough to have also spoofed their actual IP address.