Email Headers

One of the first things to learn about emails is that they have headers. The header for an email message tells you a great deal about the email. The standard for email format, including headers, is RFC 2822. It is important that all email uses the same format. That is why you can send an email from Outlook on a Windows 10 PC and the recipient can read it from a Hotmail account on an Android phone that runs Linux. This is because all email programs use the same email format, regardless of what operating system they run on.

Make sure that any email you offer as evidence includes the message, any attachments, and the full email header. The header keeps a record of the message’s journey as it travels through the communications network. As the message is routed through one or more mail servers, each server adds its own information to the message header. Each device in a network has an Internet Protocol (IP) address that identifies the device and can be resolved to a location address or area. A forensic investigator may be able to identify IP addresses from a message header and use this information to determine who sent the message. Of course, IP address assignments do change over time, so collaboration with Internet service providers might be necessary.

Most email programs normally display only a small portion of the email header along with a message. This usually is information that the sender puts in the message, such as the “To” address, subject, and body of the message. You can view and examine the full header record by using tools available in the email client.

 NOTE
RFC 2822 supplements the older RFC 822 with a few notable enhancements. RFC 822 was originally designed as the standard for text messages sent over the ARPANET network, which was the precursor to the modern Internet. You can check out http://tools.ietf.org/html/rfc822 for more details.

An email investigation begins with a review of an email message followed by a detailed examination of the message header information. Look at the header in more detail to find additional information associated with the email message. The message header provides an audit trail of every machine through which the email has passed.

Consider the specifications for email format given in RFC 2822:

The message header must include at least the following fields:

From—The email address and, optionally, the name of the sender

Date—The local time and date when the message was written

The message header should include at least the following fields:

Message-ID—An automatically generated field

In-Reply-To—The message-ID of the message that this is a reply to; used to link related messages together

RFC 3864 describes message header field names. Common header fields for email include the following:

To—The email address and, optionally, name of the message’s primary recipient(s).

Subject: A brief summary of the topic of the message.

Cc—Carbon copy; a copy is sent to secondary recipients.

Bcc—Blind carbon copy; a copy is sent to addresses added to the SMTP delivery list while the Bcc address remains invisible to other recipients.

Content-Type—Information about how the message is to be displayed, usually a Multipurpose Internet Mail Extensions (MIME) type.

Precedence—Commonly with values “bulk,” “junk,” or “list”; used to indicate that automated “vacation” or “out of office” responses should not be returned for this mail, for example, to prevent vacation notices from being sent to all other subscribers of a mailing list.

Received—Tracking information generated by mail servers that have previously handled a message, in reverse order (last handler first).

References—Message-ID of the message to which this is a reply.

Reply-To—Address that should be used to reply to the message.

Sender—Address of the actual sender acting on behalf of the author listed in the From field.

There is a wealth of information in these headers, so examining them is very important.

Getting Headers in Outlook
To look at a header in Outlook 2010, with a specific message open, select File and then Info, as shown in FIGURE 7-2. Then select Properties, and you will be able to view the headers, as shown in FIGURE 7-3.


FIGURE 7-2
Outlook 2010 headers Step 1.

Used with permission from Microsoft.


FIGURE 7-3
Outlook 2010 headers Step 2.

Used with permission from Microsoft.

You can see it is relatively easy to view the headers using Outlook. Older versions of Outlook have a different method to get to headers. With Outlook 2000/2003/2007, there are two methods:

Method #1—Right-click the message in the folder view, and then choose Options.

Method #2—In an open message, choose View and then Options.

With either method, you’ll see the Internet headers portion of the Message Options dialog box. Regardless of the version of Outlook you have and the method you use to view the headers, the headers appear similarly to what is shown in FIGURE 7-4.

Getting Headers from Yahoo! Email
If you are working with Yahoo! email, you will need to first open the message. On the lower right, there is a link named Full Headers, which is shown in FIGURE 7-5. If you click on that link, you can see the headers for that email, shown in FIGURE 7-6.


FIGURE 7-4
Outlook headers.

Used with permission from Microsoft.


FIGURE 7-5

Courtesy of Yahoo!
Find Yahoo! headers.


FIGURE 7-6
View Yahoo! headers.

Courtesy of Yahoo!


FIGURE 7-7
Find Gmail headers.

Google and the Google logo are registered trademarks of Google Inc., used with permission

Getting Headers from Gmail
Viewing email headers in Gmail is fairly simple; just follow these steps:

Log on to Gmail.

Open the message for which you want to view headers.

Click the down arrow next to Reply, at the top of the message pane. Be certain you click the arrow next to Reply—not the Reply button itself.

Select Show Original.

This is shown in FIGURE 7-7.

The headers appear in a separate window and look similar to what is shown in FIGURE 7-8.

Other Email Clients
A vast number of email clients are available for people to use. It is not beneficial to you to go through each and every one separately. By now, you should be noticing some similarities in the processes. However, you can see the basic steps for many of these clients in this section.


FIGURE 7-8
View Gmail headers.

Google and the Google logo are registered trademarks of Google Inc., used with permission.

Hotmail
Hotmail is similar to Gmail:

Select Inbox from the menu on the left.

Right-click the message for which you want to view headers, and select View Message Source.

The full headers will appear in a new window.

Apple Mail
Apple Mail is pretty straightforward:

Open Apple Mail.

Click on the message for which you want to view headers.

Go to the View menu.

Select Message, then Long Headers.

The full headers will appear in the window below your Inbox.

You can get a list of other email clients from Google Support at http://support.google.com.eztncc.vccs.edu:2048/mail/answer/22454?hl=en.

Of course, you can always use your favorite search engine to search for the email client you are using. It is usually quite easy to find out how to view headers.

Email Files
Local storage archives are any archives that have an independent archive format from a mail server. Examples of these types of archives include the following:

.pst (Outlook)

.ost (Offline Outlook Storage)

.mbx or .dbx (Outlook Express)

.mbx (Eudora)

.emi (common to several email clients)

You need to know how to find these files and how to view them. For example, in Outlook a clever criminal might have a second .pst file containing email messages that he loads only when committing his nefarious activities. If his computer is seized and you simply look in Microsoft Outlook, you won’t see any incriminating evidence. If you search the suspect drive and find an additional .pst file, you can easily mount it in Outlook by selecting File, Open, and Open Outlook Data File, as shown in FIGURE 7-9.

There are tools that allow you to convert from one email file format to another. For example, the accused’s email file could be an EML file, but you use Outlook. It would be helpful to translate that file into an Outlook .pst format. Transend Migrator (http://www.transend.com) is a tool that will do this for you.

In addition, a number of forensic tools can examine the email files for you. A few examples include the following:

Paraben’s Email Examiner—This tool is meant specifically to analyze email. It is available at http://www.paraben.com/email-examiner.html. This will be discussed in the following section.

Guidance Software’s EnCase—This is a general-purpose forensic tool. You can find more information about EnCase at http://www.guidancesoftware.com.

AccessData’s Forensic Toolkit (FTK)—This is another general-purpose forensic tool. You can find more details about FTK at http://www.accessdata.com/

PassMark’s OSForensics—This is a general-purpose forensics tool that can find and examine emails on a suspect drive image. You can learn more at http://www.osforensics.com.

LibPST package—This is an open source tool. You can get this tool from http://www.five-ten-sg.com/libpst/.


FIGURE 7-9
Opening a .pst file in Outlook.

Used with permission from Microsoft

Paraben’s Email Examiner
Although there are many tools available that may be used with email forensics, Paraben’s Email Examiner is exclusively for email forensics, so it merits a closer look. Paraben works like the more complete forensic suites (Forensic Toolkit and EnCase) in that evidence is grouped by case. When you first start Paraben, you select New and then create a new case, as shown in FIGURE 7-10. Paraben will also associate information about the investigator along with the case information. This is shown in FIGURE 7-11.


FIGURE 7-10
A new Paraben case.

Courtesy of Paraben Corporation.


FIGURE 7-11
The investigator.

Courtesy of Paraben Corporation.


FIGURE 7-12
Select your email database.

Courtesy of Paraben Corporation.

Next, you select the type of email database you are going to be working with. The major email clients are all represented, as you can see in FIGURE 7-12.

At this point, you select the database you want to work with, and it is added to the case. From within Paraben, you can sort, search, scan, and otherwise work with the email data. Paraben can also generate reports of the data showing whatever data is most relevant to your case—or all the email data, if you prefer.

ReadPST
ReadPST is a program made available as part of the libPST package, which is available at http://alioth.debian.org/projects/libpst/. You will need to download and compile it because it is not available in a precompiled format. Once you have done so, you can run it and use it to examine PST files.

ReadPST will first convert the PST into RFC-compliant UNIX mail. You can access the extracted mail and attachments with any standard UNIX mail client. If you have access to Microsoft Outlook, there is no need to use ReadPST.