Introduction
Email remains one of the most important communication channels and is frequently involved in digital investigations. Email forensics involves examining email content, headers, attachments, and metadata to establish facts about communications, identify senders, and detect spoofing or tampering.
Learn to analyze email headers to trace message origins, examine PST/OST files from Outlook, detect email spoofing, understand email authentication protocols (SPF, DKIM, DMARC), and investigate webmail artifacts.
Email Architecture Basics
Understanding how email works is essential for forensic analysis. Email travels through multiple servers, each adding headers that create an audit trail.
Email Protocol Overview
SMTP
Simple Mail Transfer Protocol - sends email between servers. Default port 25 (or 587 for submission).
POP3
Post Office Protocol - downloads email to client, typically removes from server. Port 110 (or 995 for SSL).
IMAP
Internet Message Access Protocol - syncs email with server, keeps on server. Port 143 (or 993 for SSL).
Webmail
Browser-based email access via HTTPS. Gmail, Outlook.com, Yahoo Mail are common providers.
Email Journey
# Email transmission path
1. Sender's Email Client (Outlook, Gmail, etc.)
|
2. Sender's Mail Server (smtp.sender.com)
|-- DNS lookup for recipient's MX record
|
3. Intermediate Relay (optional, may be multiple)
|
4. Recipient's Mail Server (mx.recipient.com)
|
5. Recipient's Email Client (via POP3/IMAP/Webmail)
# Each server adds a "Received:" header
# Headers are read bottom-to-top to trace the path
Email Header Analysis
Email headers contain crucial forensic information about the message's origin, path, and authenticity. Headers are added by each server that handles the email.
Key Email Headers
| Header | Purpose | Forensic Value |
|---|---|---|
| Received: | Server routing information | Trace email path, identify origin IP |
| From: | Displayed sender address | Can be spoofed - verify against other headers |
| Return-Path: | Bounce address (envelope sender) | True sending address for delivery |
| Message-ID: | Unique message identifier | Link related emails, detect duplicates |
| Date: | When email was composed | Can be forged - compare with Received timestamps |
| X-Originating-IP: | Original sender's IP | Client IP address (webmail) |
| Authentication-Results: | SPF/DKIM/DMARC results | Verify sender authentication |
Sample Email Header Analysis
Read from bottom to top: The bottommost "Received:" header shows the first hop. In this example:
1. Email originated from IP 198.51.100.25 (sender's device)
2. Sent to mail.sender.com
3. Forwarded to mx2.recipient.com
4. Finally delivered to mx1.recipient.com
The X-Originating-IP confirms the sender's actual IP address.
Email Spoofing Detection
Email spoofing is the creation of emails with a forged sender address. Understanding authentication mechanisms helps detect spoofed emails.
Email Authentication Protocols
SPF (Sender Policy Framework)
DNS record specifying which servers can send email for a domain. Checks envelope sender (Return-Path).
DKIM (DomainKeys Identified Mail)
Digital signature in email header, verified via DNS public key. Proves message wasn't altered.
DMARC
Policy framework combining SPF and DKIM. Specifies how to handle authentication failures.
Spoofing Indicators
- SPF fail: Sending server not authorized for the domain
- DKIM fail: Signature invalid or missing
- From/Return-Path mismatch: Display address differs from envelope sender
- Suspicious Received headers: Path doesn't match claimed origin
- Date inconsistencies: Date header doesn't match Received timestamps
- Message-ID domain mismatch: ID domain differs from From domain
Display name spoofing: "Real Person <attacker@fake.com>"
Lookalike domains: john@sendor.com (instead of sender.com)
Reply-To manipulation: From legitimate but Reply-To goes to attacker
Unicode tricks: Using similar-looking characters in domain names
PST/OST File Analysis
Microsoft Outlook stores email data in PST (Personal Storage Table) and OST (Offline Storage Table) files. These are rich sources of forensic evidence.
PST vs OST
| Feature | PST | OST |
|---|---|---|
| Purpose | Archive/backup storage | Offline cache of Exchange mailbox |
| Account Type | Any (POP3, IMAP, standalone) | Exchange/Office 365 only |
| Portability | Can be moved/copied | Tied to profile, harder to move |
| Default Location | C:\Users\[user]\Documents\Outlook Files\ | |
PST/OST File Locations
# Windows PST/OST Locations
# Windows 10/11
C:\Users\[username]\Documents\Outlook Files\
C:\Users\[username]\AppData\Local\Microsoft\Outlook\
# Legacy Outlook (2007 and earlier)
C:\Documents and Settings\[username]\Local Settings\Application Data\Microsoft\Outlook\
# Common file names
Outlook.pst # Default PST file
Archive.pst # Archived items
[email]@domain.ost # Exchange offline cache
PST Analysis Contents
- Emails: All messages including deleted (may be recoverable)
- Attachments: Files attached to emails
- Calendar: Appointments, meetings, events
- Contacts: Address book entries
- Tasks: To-do items and reminders
- Notes: Outlook notes
- Deleted Items: Items not yet purged
PST Analysis Tools
pffexport (libpff)
Open-source tool to extract PST/OST contents to folders and files.
Kernel PST Viewer
Free viewer for PST files without Outlook installation.
Autopsy
Email parser module for PST/MBOX analysis.
Aid4Mail
Commercial tool for comprehensive email forensics.
Webmail Forensics
Many users access email through web browsers. Webmail forensics involves analyzing browser artifacts and local caches.
Webmail Evidence Sources
- Browser history: URLs to webmail services (mail.google.com, outlook.com)
- Browser cache: Cached email content, images, attachments
- Cookies: Session tokens, authentication data
- IndexedDB: Local storage for offline webmail features
- Downloads: Attachments saved from webmail
- Autofill: Email addresses entered in forms
Gmail-Specific Artifacts
# Gmail stores data in Chrome IndexedDB
C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\
https_mail.google.com_0.indexeddb.leveldb\
# Gmail cache (images, attachments)
C:\Users\[user]\AppData\Local\Google\Chrome\User Data\Default\Cache\
# URL patterns in browser history
https://mail.google.com/mail/u/0/#inbox
https://mail.google.com/mail/u/0/#sent
https://mail.google.com/mail/u/0/?view=att&... # Attachment views
Webmail evidence is more fragmented than local email clients. Much data remains on provider servers requiring legal process (subpoenas, MLATs for foreign providers). Local artifacts depend on browser caching settings and whether offline mode was enabled.
Email Forensics in Indian Legal Context
Email evidence in Indian courts requires proper handling under BSA 2023 (formerly Section 65B of IEA).
Requirements for Email as Evidence
- Section 63 Certificate: Required for electronic records including emails
- Complete Headers: Full email headers must be preserved, not just visible fields
- Hash Verification: Email files should be hashed for integrity
- Chain of Custody: Document how email evidence was acquired and handled
- Server Logs: May require requesting logs from email providers
For emails from Indian providers (Gmail India, Yahoo India), data requests can be made to their India offices. For international providers, requests typically go through MHA under MLAT treaties. Document IP geolocation to establish whether the sender was within Indian jurisdiction.
- Email headers contain routing information - read Received headers bottom-to-top to trace origin
- SPF, DKIM, and DMARC authenticate legitimate senders - failures indicate potential spoofing
- PST/OST files store complete Outlook mailboxes including deleted items
- Webmail artifacts exist in browser cache, IndexedDB, and history
- X-Originating-IP header often reveals the sender's actual IP address
- Email evidence requires Section 63 BSA certificate for Indian court admissibility