How to Conduct an Email Investigation?

There’s no doubt that emails have become one of the most common communication media. Although used for personal chats, they’re primarily deployed for business-related communications. From arranging internal meetings and pitching potential clients to maintaining relations with investors, everything is done through email.

But do you know about the downside? Well, cybercriminals use sensitive information for malicious activities. According to the FBI’s Internet Crime Complaint Center (IC3) 2020 annual report, 791,790 complaints of suspected internet crime were recorded. Phishing scams, nonpayment/nondelivery scams, and extortion were the top three cybercrimes.

When a cyber incident occurs, companies must conduct an email investigation to identify the cause and take the required actions. It’s just as crucial to monitor the website activity of your employees. EasyDMARC’s phishing URL checker  is a quick and easy way to detect phishing and malicious websites.

Goals of Email Investigation

Before understanding how to investigate a phishing mail, you should know that email investigation is a branch of digital forensic science. It combines techniques used to gather email-based criminal evidence.

The email investigation process locates the origin of a cybercrime by carefully discovering the history of the mail sent. This is consequently used for finding all the entities involved in the criminal activity. 

It’s worth noting that the latter doesn’t need to be of online origin. Sure, cybercrime like phishing and spoofing might need email investigation more, but let’s say, murders that have an email component might also need investigating.

Email investigators typically analyze the actual sender (not the one whose email address has been exploited by the phisher or scammer), the recipient, and dates and times.

How Do You Do an Email Investigation?

To conduct a successful email investigation you need to follow several steps and examine various components. We discuss all of them in this section.

Header Analysis

The header of an email contains important information that can help in an email investigation. A chunk of data is kept hidden from the user, and only the subject, date, and sender’s email address are made visible. Cybercriminals often forge this bit of information to appear genuine.

However, you can extract additional or hidden details with certain methods for different email applications. Once done, you’ll often find extensive information about the route an email took to reach your inbox. So, how do you do an email investigation on a personal level? You can start by observing hidden details like:

  • Whether the ‘from’ email ID and ‘return path’ email ID match.
  • Check if the ‘reply-to’ email ID is the same as the ‘from’ email ID.
  • If ‘X-distribution’ is bulky, it’s an indication of spam.
  • X-spam Score and X-Spam Flag help determine if it’s a spam email.

Cyber forensic experts use this information in their email investigations to track down culprits.

As per Google’s Threat Analysis Group (TAG), around 50,000 alerts were sent in 2021 to affected customers whenever it detected any sorts of cyberattacks, including email attacks.

Email Server Investigation

Forensic specialists deploy email server investigation techniques to trace the origins of an email. If the sender or receiver has deleted the email, then investigators look at the Internet Service Provider (ISP) or proxy servers to find a saved copy. A proxy server is an intermediate gateway between the end-user and the website domain.

Moreover, ISP and proxy servers can reveal information about the address of the sender’s device, which speeds up the email investigation process

During an email investigation, start inspecting the logs as early as possible. TheHypertext Transfer Protocol (HTTP) and Simple Mail Transfer Protocol (SMTP) are frequently archived by ISPs. 

SMTP is the common messaging initiation protocol. So, the later you start, the more time and effort it takes to fetch the information required for your email investigation

Network Device Investigation

At times, the above-mentioned logs aren’t available. This could be due to non-configuration or denial to share log files. In this situation, forensic cyber experts check the data maintained by network devices like switches and routers.

Sender Mailer Fingerprints

In addition to the ‘subject,’, ‘from:’, and ‘to:’ headers, emails contain X-headers. Specialists track this piece of information to locate the IP address of the sender’s device.

During the investigation of an email, the sender mailer fingerprints approach identifies the sender’s software and its version. For example, Gmail, Outlook, Hotmail and more.

Software Embedded Identifiers

The sender’s software holds some additional information regarding the message and attachments— crucial for the email investigation process. Software programs used for creating a message or file capture such information. For example, Microsoft Word or Adobe Photoshop. 

If you’re keen to learn how to investigate a phishing mail, you can find these details in the form of custom headers or Multipurpose Internet Mail Extensions (MIME) content as a Transport Neutral Encapsulation Format (TNEF). 

MIME is an internet standard deployed to assist the transfer of single text, multiple texts, or non-text attachments. TNEF is an exclusive and unshared format for email attachments used by Microsoft Outlook and Microsoft Exchange Server.

Final Thoughts

With perpetually increasing cases of spamming, phishing, identity theft, and other cybercrimes, companies of all sizes should invest in cybersecurity. Email investigation is one such series of processes involved in identifying culprits of any email-related cybercrimes.

The geopolitical situation in the world has also impacted the digital side of things. According to Forbes, Russian-sourced cyberattacks rose by 800% within 48 hours of the first attack. 

The techniques shared above could scare a beginner. Still, email nerds at EasyDMARC are always ready to answer all your questions.

SPF Record Syntax: Structure and Components

SPF Record Syntax: Structure and Components

Understanding what SPF is and bringing it into use is important for technology-driven businesses...

Read More
What is a DKIM Record?

What is a DKIM Record?

What is a DKIM record? That's a question we see everywhere these days. Emails...

Read More
What is an SPF Record?

What is an SPF Record?

What if you realize a threat actor is misusing your domain name to send...

Read More