Migden / Digital-Forensics

A repo designed for notes from the Digital Forensics Topic in TAFE Advanced Diploma
1 stars 0 forks source link

Email Analysis.md #8

Open Migden opened 2 months ago

Migden commented 2 months ago

Email Analysis


Introduction

emails are the most popular means of communications for businesses, it is essential to understand how they work and to learn how to investigate metadata related to emails.

Objectives

Reading Email Headers


When reading email headers, it is always advised to start from the bottom. This is because the email passes through different servers during the transmission, and each one adds a header. This means the oldest data is at the bottom, and thus the original details.

Now we are at the bottom of the email, lets dissect the data.

Typically when we view emails metadata normally, it will contain recipients and senders email addresses, the subject, and the date sent.

However when analysing the headers of the emails will reveal more important details. Such as Message-ID, this can be used to determine the original sender. A communication provider can use this information to identify and learn the IP address of the sender. This can also be used to determine if the email was forwarded, or a reply

Furthermore continuing up the email source, we can see even more important information such as the Received header. The Received header provides the details about the first server that received the email.

The next headers are Received-SPF and DKIM-Signature, these are headers used to detect spoofing and tampered emails.

Scrolling up the email source to the top, we can also see the ARC headers, these are similar to SPF and DKIM. It can tell whether the email passed authenticity tests. The header X-Received displays the server that received the email, and Delivered-To shows the final server that delivered the message to the recipients inbox and the time of delivery