Part 2: Email Forensics | Module 3

Introduction

Introduction to Email Forensics

Email remains one of the most critical sources of evidence in cyber crime investigations. From phishing attacks and business email compromise to harassment and fraud, understanding how to analyze email evidence is an essential skill for every investigator.

Email forensics involves examining the complete email message, including its headers, body, and attachments, to determine its authenticity, trace its origin, and gather evidence for legal proceedings.

💡 Why Email Headers Matter
                    
                        While email body content can be easily fabricated, email headers contain technical metadata that is much harder to forge completely. Headers record the path an email takes from sender to recipient, including IP addresses, timestamps, and server information that can be crucial for investigations.

Email Protocols

Understanding Email Protocols

Before diving into header analysis, it is essential to understand the protocols that govern email transmission:

SMTP

Port 25, 587, 465

Simple Mail Transfer Protocol - used for sending emails between servers. SMTP headers contain the transmission path and are crucial for tracing email origins.

POP3

Port 110, 995

Post Office Protocol - downloads emails to local device and typically deletes from server. Investigation may require examining local email client data.

IMAP

Port 143, 993

Internet Message Access Protocol - keeps emails on server with local synchronization. Better for investigations as server-side copies remain accessible.

🕵

Investigator Note: Server Logs

Email service providers maintain server logs that can provide additional evidence beyond what is visible in headers. When conducting formal investigations, legal process (such as Section 91 CrPC summons or court orders) may be needed to obtain these logs from providers like Gmail, Yahoo, or corporate email servers.

Email Header Analysis

Email headers are read from bottom to top - the oldest entries (closest to the original sender) appear at the bottom, while newer entries (closer to the recipient) appear at the top.

Return-Path: <sender@example.com>

Received: from mail.recipient.com (192.168.1.50) by mx.recipient.com; Thu, 15 Jan 2026 10:30:45 +0530

Received: from smtp.sender.com (203.0.113.25) by mail.recipient.com; Thu, 15 Jan 2026 10:30:40 +0530

Received: from [10.0.0.5] by smtp.sender.com; Thu, 15 Jan 2026 10:30:35 +0530

Message-ID: <unique-id-12345@sender.com>

Date: Thu, 15 Jan 2026 10:30:30 +0530

From: "John Doe" <john@example.com>

To: "Jane Smith" <jane@recipient.com>

Subject: Important Business Proposal

X-Originating-IP: [203.0.113.25]

Key Header Fields for Investigation

Received Headers (Most Important)

Read from bottom to top. Each "Received" line shows a server that handled the email. Contains IP addresses, hostnames, and timestamps. The bottommost "Received" header is closest to the actual sender.

X-Originating-IP

Many email providers add this header showing the IP address from which the email was composed. This is often the sender's actual IP address and is extremely valuable for investigations.

Return-Path / Reply-To

Compare with the "From" address. Discrepancies may indicate spoofing attempts or redirect schemes used in phishing attacks.

Message-ID

A unique identifier for the email. Useful for tracking the same email across different systems and verifying if multiple reports reference the same message.

Authentication Headers (SPF, DKIM, DMARC)

Modern emails include authentication results. "Pass" indicates the email likely came from the claimed domain. "Fail" suggests possible spoofing.

Spoofing Detection

Detecting Email Spoofing

Email spoofing is the practice of sending emails with a forged sender address. Criminals use spoofing for phishing, business email compromise, and impersonation attacks. Here are key indicators of a spoofed email:

⚠ Mismatched Domains

The "From" address shows one domain but the "Received" headers show the email originated from a completely different server.

⚠ Authentication Failures

SPF, DKIM, or DMARC checks show "fail" or "softfail" results in the Authentication-Results header.

⚠ Reply-To Mismatch

The Reply-To address differs from the From address, potentially directing responses to an attacker-controlled mailbox.

⚠ Suspicious IP Origins

X-Originating-IP or first "Received" header shows an IP address from an unexpected country or known malicious network.

⚠ Important Legal Consideration

Email headers can be partially forged. While the receiving server's entries are reliable, earlier entries in the chain could be fabricated. Always corroborate header evidence with server logs obtained through proper legal channels. Under Indian law, electronic evidence must comply with Section 65B of the Indian Evidence Act (now Section 63 of BSA 2023) for admissibility.

Practical Tool

Practical Tool: Email Header Analyzer

✉

Email Header Analyzer Tool

Use our built-in tool to analyze email headers. Simply paste the full email headers and the tool will parse and visualize the email's path, highlight suspicious elements, and identify originating IP addresses.

Launch Email Header Analyzer

How to Extract Email Headers

Gmail

Open email > Click three dots menu > "Show original" - displays full headers and raw message

Outlook

Open email > File > Properties > "Internet headers" box contains full headers

Yahoo Mail

Open email > More actions > "View raw message" displays complete headers

Tracing Origin

Tracing Email Origin

Once you have identified the originating IP address from email headers, the next step is to trace it to identify the sender:

WHOIS Lookup

Identify the ISP or organization that owns the IP address. This tells you which entity to approach for subscriber information.

Geolocation

Determine approximate geographic location of the IP. Note that this shows server/exit point location, not necessarily the user's physical location.

Legal Process

Draft and send legal requests (Section 91 CrPC notice or court order) to the ISP for subscriber details associated with the IP at the specific timestamp.

Email Provider Request

Request account information from the email service provider. Major providers have Law Enforcement Request portals for official investigations.

Key Takeaways

Always read "Received" headers from bottom to top to trace the email path
X-Originating-IP is often the most valuable header for identifying the sender
Authentication results (SPF, DKIM, DMARC) help detect spoofing
Headers can be partially forged - corroborate with server logs
Preserve original email evidence with proper hash documentation for court
Legal process is required to obtain subscriber information from ISPs

Navigation