Email Forensics – An Art of Examining Email Evidence

Olivia Dehaviland | Last Modified: October 6th, 2017 | Updates

Generally, a bunch of Email forensics investigators engrosses themselves in the practice of analyzing and gathering data related to e-mail investigation.

Most organizations have precise e-mailing policies implemented. However, sometimes it is not enough to prevent the e-mail from being violated. This, in turn, gives rise to the need for proper monitoring and investigation of the emails which is best handled best by email forensics. This study of email messages helps to investigate suspected e-mail accounts to gather evidence for prosecuting a criminal in front of legal authorities.

Some forensicators favor reading emails from the bottom while some of them prefer to read them from the top down. However, the best thing to do is to just go through the header section, where all the crucial information is placed by the MUA (mail user agents). Any e-mail forensic expert’s first attempt is to use the metadata to understand what kind of activities took place in the e-mail(s). Unfortunately, metadata fields don’t always reveal the expected results, as they can be hidden, manipulated, or made inaccessible by the suspect. Criminals make an effort to purge/tamper the metadata, with the intention of covering their tracks.

A number of portions in an email, if investigated properly can ease the task of examining emails for investigators or technocrats to a large extent. These portions act like artifacts in a case as they hold potential evidences, a few of them are; the email header forensics, email metadata forensics, email spoofing forensics, the hexadecimal value of an email, email hop path, properties of an email, etc. Many tools are available online with advanced features to target such artifacts and make the procedure of evidence extraction easier.

What Benefits Do These Artifacts Hold?

  • If an investigator needs basic information of an email like at what time it was sent or received or the kind of content within for that purpose a normal view of the email would work, that describes the email content along with its properties and metadata cc, bcc & date-time information.
  • To ascertain if any email data or header information has been compromised with or manipulated by the suspect, its hexadecimal coding can be checked. This way the binary format of emails can be viewed and analyzed for an investigator to easily catch the changes as well as do the mapping of character from hex code.
  • With the advancement in the technology sector, additional types of information in email messages increase the workload for forensicators. Currently, most number of messages support MIME version, studying which may reveal a lot about the suspect email. Examining the header part of the email is the probable way to reach such information including; MIME version; message ID, content type, To, Bcc, From, Sender address, etc.
  • As each and every section of an email stores strong evidences, taking a look at the path followed by an email to reach a mailbox helps reveal directed gateways, router, and switches which helps in studying the entire path of an email from source to destination.

How Commercial Tools Help In Email Forensics?

Commercial utilities available for evidence analysis to be performed on emails increases forensicators chances of optimizing their study with facilities like; examination of different sections in an email, searching for a particular set of conversation, fetching the attachments, etc. In addition to that, as part of an investigation, a forensicator cannot skip following the basic stages of performing email forensics analysis which includes; documentation, analysis, reporting, etc.

Also, external tools offer evidence export facilities to fulfill the need of reporting the investigation in the form of evidences carved out in a case. Further, this exported output can also be used by an investigator to share copies of potential evidences with fellow investigators for a cross check and feedback on them.


Thus, commercial programs play a vital role in conducting email forensics examination in an organized and accurate manner. No matter how proficient an investigator is speed along with precision during an email examination can be attained using commercial tools only.