Forensic Email Recovery Via Examining Internal Message Structure

Thousands of emails are being sent and received in a day, becoming an important part of evidence recovery in most of the litigation processes. It is possible now days to recover deleted messages, the header information that includes time stamp, routing information of mail, IP address etc. The mail clients and Servers often act as database source as they comprise of depository like mails, calendars, contacts etc. The three basic component of an email are Body, Header, and Attachment. For recovery and analysis, viewing an email in different views will help. Here is a list of Mail Views that help in forensic examination of messages and evidence recovery for litigations.

STEP 1

Normal View: It gives front-end information of a message. Comprising of Subject of an email, the receiver name, the sender's name, date, time, whether it has attachment or not etc is displayed in this view of mail.

normal-mail-view

STEP 2

Hex View: Any changes done in hex code will be reflected in the email. Each hexadecimal digit means four binary bits. Basically, it is a convenient way of reading binary code values of computers with digits 0-9 and A-F.

hex-view

STEP 3

Message Header View: To determine origin of a message or a spam, email header helps. Thoroughly analyzing header will help to examine origin and destination of message, its metadata details, IP information etc.

message-header-view

STEP 4

MIME View: This file format is to explore different extensions within an email file. Simply, it is settled to read out the content from a range of files. With a set of attributes like links, script, style, and objects, this view is defined under HTML format.

mime-view

STEP 5

Email Hop View: A hope of an email is the routing path followed by a message between source and the destination. It helps to get details of routers and the gateways a message has pass through. For example: When a packet is passed through one device to another, a hop occurs. To check number of hops for a mail, trace path commands are used.

email-hop-view

STEP 6

HTML View: The most instant and appropriate way of reading text data is HTML file format. The data in HTML file comprises of tags that makes it easy to read. An HTML file can be opened in text editors like notepad or in local browsers.

html-view

Copyright © 2007-2024 SysTools® Software. All Rights Reserved.
SysTools® is a Registered Trademark of SysTools Software Pvt. Ltd.
Legal Refund Policy