Email is the most utilized form of communication for businesses and individuals nowadays, and it is often exposed to illegitimate uses. If you are a forensic investigator, you are probably need to be able to determine if an email has or has not been falsified. This article will explore a few basic methods on how to gather and analyze data related to an email investigation and forensic analysis.
The first steps in any email investigation are to identify all the potential sources of information. Email messages contain numerous metadata fields(MAPI properties) that can be useful for digital forensic analysis of emails. There are a few MAPI properties that are frequently extracted by computer forensics and e-Discovery software:
At the time a sender submits an e-mail, it gets stamped with the date and time in the PR_CLIENT_SUBMIT_TIME property. When that e-mail reaches the recipient’s mailbox, Outlook/Exchange stamps the PR_MESSAGE_DELIVERY_TIME and PR_CREATION_TIME properties. If the e-mail remains unaltered, the PR_LAST_MODIFICATION_TIME will match the PR_CREATION_TIME property. Obviously if these two properties do not match, it means the e-mail was modified by the user as no other process will update this property.
Email can be sent in several formats the most common being plain text, RTF and HTML. Both RTF and HTML formats use formatting codes. Using these formatting codes we did a low-level analysis of the body text.
The email conversation index property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message. Information extracted from the Conversation index property can help answer key questions such as:
Combined with additional evidence from the email server or internal email metadata, the information contained in the email MAPI properties can be very helpful in the forensic analysis of emails.