Digital forensics

Email analysis

In this article, we will explore the fundamentals concepts associated with email that will help us to perform email analysis. We will begin by understanding the email structure and discuss how a malicious email can be analyzed using the email headers.

Learn Network Forensics

Get hands-on experience analyzing logs, protocols, wireless, web traffic and email for traces left behind by attackers.

Get Started

Email structure

An email consists of two parts: the header and the body. The body is where the message appears and the header contains metadata, which includes details such as where the message originated, date of delivery and the destination address.

Let us open a sample email received using Gmail and explore the structure, function and details of the email received. The following steps show how one can access the raw email from the Gmail inbox. 

1. Open your Gmail and click on the email you want to see the header for.
2. Search for the reply button, click the vertical three-dotted button on the right, and choose Show Original.
3. We will be shown an overview of the information followed by the whole email header. Additionally, we also have options to download the email in .eml (email message) format and copy to clipboard.

Note that the example shows Gmail but all the email providers provide an option to view the original email.

Following is an example of a full email obtained using the steps shown earlier.

Delivered-To: testreceiver@gmail.com

Received: by 2002:a6b:6e0e:0:0:0:0:0 with SMTP id d14csp498317ioh; Thu, 7 Jan 2021 05:51:24 -0800 (PST)

X-Google-Smtp-Source: ABdhPJyokf5vmVYdUS3s59vBK+OD81zHJwXWphnPlwgnUw9yZPBVulZC5Ln+h/+j5oABJq5Un9ys

X-Received: by 2002:a7b:c3c8:: with SMTP id t8mr8031087wmj.88.1610027483942; Thu, 07 Jan 2021 05:51:23 -0800 (PST)

ARC-Seal: i=1; a=rsa-sha256; t=1610027483; cv=none; d=google.com; s=arc-20160816;        b=Z+oDS4qDPbduRFH7zMMw2iEjUivx9NQvPV0qXiLrDKB/pCD3E13hkAzejFOmZgQVuPjioA3i8Wjj/ylvmGbWNJCpAeqgss10hl/j/ZlWsuoxK7V5kNCn68AKELWD8mRlIa2Z4JXzfHZjmAbOoZYBaBVRo48YmVdG+DGb9+7N7/BMFRY7g/8rOiIFBg2JFW5luBdqYmxo+4PCQrPdHpBkMaLnz23cB70YXXBquDzLUR5x5V2YxkgSume30eRZAEUemClyDJcpiny/tSfTg7/bb89uGGHGuJwqwwTHJAE1t6hxMW9QFZztA/BOo/eTS8Bix6yvD21UeTlmV8N1OSLzzQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:message-id:reply-to:errors-to:importance:from:subject:to;

bh=KLtYHwcLjVa1grAbuHke97eEVmp9W7z2hqB0QBnApjo=;

b=ifR7Kj0VMVjejLH8PQwSvsMZrwvkuVj/tRW+PeYxHk6ZMYyKF/dLCIhQGhw9+1uk3UpliD2cayMcYmOLx5oXvy0NhPlBYgcBZZrha+MpRn7/bSNgEwQ+kAqTcisPXKTOPEM0nPq3fioyvQSHCCiDnGKND5fmUUUvxAseONceyFYwTXj6EH1gA0PNA3xIqn6EkxS+/Z/SiptYYAVzLhsEmNUPpAPrW1Grwa5/c+XGXDg0/bDNvb77JBiTtMNdjNsv3x5SM9MjfmRRICXL+HqwgXRukRHMWPka910LHZrLJIrF0z7jZ2GnuyX1QwbvsQYzBevKOQ5qxmy4fFWpy/cU/A==

ARC-Authentication-Results: i=1; mx.google.com;spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com

Return-Path: <applesupport@apple-support.com>

Received: from localhost (emkei.cz. [93.99.104.210]) by mx.google.com with ESMTPS id s16si4599819wrv.383.2021.01.07.05.51.23 for <testreceiver@gmail.com> (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Jan 2021 05:51:23 -0800 (PST)

Received-SPF: neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) client-ip=93.99.104.210;

Authentication-Results: mx.google.com; spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com

Received: by localhost (Postfix, from userid 33) id 8D7DA220AD; Thu,  7 Jan 2021 08:51:23 -0500 (EST)

To: testreceiver@gmail.com

Subject: You won an iPhone

From: Apple Support <applesupport@apple-support.com>

X-Priority: 3 (Normal)

Importance: Normal

Errors-To: applesupport@apple-support.com

Reply-To: applesupport@apple-support.com

Content-Type: text/plain; charset=utf-8

Message-Id: <20210107135123.8D7DA220AD@localhost>

Date: Thu,  7 Jan 2021 08:51:23 -0500 (EST)

Hello,

You won a new iPhone. Click the link to claim it.

Best Regards,

Apple Support

Breaking down an email

For better readability, the content in the preceding excerpt is slightly reformatted. The primary objective in this article is to understand what various headers in the email mean and how one can make use of this knowledge to understand if the email is malicious. 

Let us first go through some of the important headers to understand what they represent. It is ideal to read message headers from bottom to top to be able to properly understand where the email is originated from.

• X-priority: X-priority is an optional parameter in the email spec used to specify the priority of the email. Values can be 1 (Highest), 2 (High), 3 (Normal), 4 (Low) or 5 (Lowest). Three is default if the field is omitted. Most email programs don't fill it in unless it is set low or high. Client side programs will highlight the inbound message (!) if it is 1 or 2.
• Content-Type: This header specifies the type of content in the email. The preceding email is of plain text.
• Reply-To: This header specifies whom to send the reply when the receiver replies to the email received.
• Message-Id: Message Id is a unique identifier that can be used to identify the message.
• From: This header is used to display the username or email from which email is sent. Note that spoofed emails typically modify this header to appear to have come from a known source.
• Received: This header represents the recipient details. There can be multiple entries of this header as the email traverses through multiple servers.
• Received-SPF: This header represents the Sender Policy Framework (SPF) results, which tells whether the sender is a permitted sender or not. 
• Delivered-To: This header represents the destination email id that the email is delivered to.

In addition to the headers discussed so far, we can see three additional headers as shown below.

• ARC-Seal 
• ARC-Message-Signature
• ARC-Authentication-Results

ARC-XXXX headers help preserve email authentication results and verify the identity of email intermediaries that forward a message on to its final destination.

• ARC Authentication Results: This header contains email authentication results like SPF, DKIM, and DMARC
• ARC-Message-Signature: This is a DKIM-like signature and takes a snapshot of the message header information. This includes to, from, subject and body
• ARC-Seal: This header contains a signature which includes the ARC-Message-Signature and the ARC Authentication Results header information.

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Common email protocols

SMTP, POP3 and IMAP are the most popular email protocols used. Each of them serve different purposes. 

• SMTP stands for Simple Mail Transfer Protocol. It is the standard protocol for sending emails across the Internet. 25 is the default port for SMTP protocol. This is the default SMTP port and it does not use any encryption by default.
• POP3 stands for Post Office Protocol version 3. It is a standard mail protocol used to receive emails from a remote server to a local email client. Using POP3 allows us to download email messages onto the local client and it is possible to read them even when we are offline. 
• IMAP stands for Internet Message Access Protocol (IMAP). It is another popular protocol used for retrieving emails from a remote server to a local email client. The main advantage of IMAP is that it allows simultaneous access by multiple clients whereas the POP3 protocol assumes that your email is being accessed only from one application.

Analyzing a spoofed email

In this section, let us go through the headers of an email that is extracted from a Gmail account. 

Delivered-To: testreceiver@gmail.com

Received: by 2002:a6b:6e0e:0:0:0:0:0 with SMTP id d14csp498317ioh; Thu, 7 Jan 2021 05:51:24 -0800 (PST)

X-Google-Smtp-Source: ABdhPJyokf5vmVYdUS3s59vBK+OD81zHJwXWphnPlwgnUw9yZPBVulZC5Ln+h/+j5oABJq5Un9ys

X-Received: by 2002:a7b:c3c8:: with SMTP id t8mr8031087wmj.88.1610027483942; Thu, 07 Jan 2021 05:51:23 -0800 (PST)

ARC-Seal: i=1; a=rsa-sha256; t=1610027483; cv=none; d=google.com; s=arc-20160816;        b=Z+oDS4qDPbduRFH7zMMw2iEjUivx9NQvPV0qXiLrDKB/pCD3E13hkAzejFOmZgQVuPjioA3i8Wjj/ylvmGbWNJCpAeqgss10hl/j/ZlWsuoxK7V5kNCn68AKELWD8mRlIa2Z4JXzfHZjmAbOoZYBaBVRo48YmVdG+DGb9+7N7/BMFRY7g/8rOiIFBg2JFW5luBdqYmxo+4PCQrPdHpBkMaLnz23cB70YXXBquDzLUR5x5V2YxkgSume30eRZAEUemClyDJcpiny/tSfTg7/bb89uGGHGuJwqwwTHJAE1t6hxMW9QFZztA/BOo/eTS8Bix6yvD21UeTlmV8N1OSLzzQ==

ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=date:message-id:reply-to:errors-to:importance:from:subject:to;

bh=KLtYHwcLjVa1grAbuHke97eEVmp9W7z2hqB0QBnApjo=;

b=ifR7Kj0VMVjejLH8PQwSvsMZrwvkuVj/tRW+PeYxHk6ZMYyKF/dLCIhQGhw9+1uk3UpliD2cayMcYmOLx5oXvy0NhPlBYgcBZZrha+MpRn7/bSNgEwQ+kAqTcisPXKTOPEM0nPq3fioyvQSHCCiDnGKND5fmUUUvxAseONceyFYwTXj6EH1gA0PNA3xIqn6EkxS+/Z/SiptYYAVzLhsEmNUPpAPrW1Grwa5/c+XGXDg0/bDNvb77JBiTtMNdjNsv3x5SM9MjfmRRICXL+HqwgXRukRHMWPka910LHZrLJIrF0z7jZ2GnuyX1QwbvsQYzBevKOQ5qxmy4fFWpy/cU/A==

ARC-Authentication-Results: i=1; mx.google.com;spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com

Return-Path: <applesupport@apple-support.com>

Received: from localhost (emkei.cz. [93.99.104.210]) by mx.google.com with ESMTPS id s16si4599819wrv.383.2021.01.07.05.51.23 for <testreceiver@gmail.com> (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Jan 2021 05:51:23 -0800 (PST)

Received-SPF: neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) client-ip=93.99.104.210;

Authentication-Results: mx.google.com; spf=neutral (google.com: 93.99.104.210 is neither permitted nor denied by best guess record for domain of applesupport@apple-support.com) smtp.mailfrom=applesupport@apple-support.com

Received: by localhost (Postfix, from userid 33) id 8D7DA220AD; Thu,  7 Jan 2021 08:51:23 -0500 (EST)

To: testreceiver@gmail.com

Subject: You won an iPhone

From: Apple Support <applesupport@apple-support.com>

X-Priority: 3 (Normal)

Importance: Normal

Errors-To: applesupport@apple-support.com

Reply-To: applesupport@apple-support.com

Content-Type: text/plain; charset=utf-8

Message-Id: <20210107135123.8D7DA220AD@localhost>

Date: Thu,  7 Jan 2021 08:51:23 -0500 (EST)

Hello,

You won a new iPhone. Click the link to claim it.

Best Regards,

Apple Support

As we can notice in From: Apple Support <applesupport@apple-support.com>, the email claims to have originated from Apple Support. However, the received header shows that the email indeed has originated from emkei.cz, which is a publicly available fake email service. This looks as highlighted below.

Received: from localhost (emkei.cz. [93.99.104.210]) by mx.google.com with ESMTPS id s16si4599819wrv.383.2021.01.07.05.51.23 for <testreceiver@gmail.com> (version=TLS1_2 cipher=ECDHE-ECDSA-CHACHA20-POLY1305 bits=256/256); Thu, 07 Jan 2021 05:51:23 -0800 (PST)

Even through the email claims to have originated from Apple Support, the received header confirms that it is originated from emkei.cz

Learn Digital Forensics

Build your skills with hands-on forensics training for computers, mobile devices, networks and more.

Start Learning

Conclusion

As discussed in this article, understanding email headers is one of the important aspects of analyzing emails. We have gone through various email headers, common protocols used in emails and discussed how spoofed emails can be analyzed. 

 

Sources

Email forensics analysis, Linux Hint

Email forensics: Investigation techniques, Forensic Focus