E-mail header analysis
E-mail header analysis |
|
<< Back to overview
This module is used to execute a forensic analysis in the e-mail
headers of an e-mail message. The e-mail headers contain information which is
added by the mail servers as the message travels from sender to recipient. By
analysing the e-mail headers, the origin of the e-mail can be researched. All
internet resources found in the headers (e.g. IP addresses or names of mail
servers) can be clicked to start an in-depth analysis with the “deep analysis”
module.
Now that we have the e-mail headers of the e-mail message under investigation at hand, copy them entirely (select the whole text of the e-mail headers, click with the right mouse button and select “Copy” from the menu), and paste them into the “e-mail header analysis” module. Click the “start analysis” button. The headers are now parsed and analysed. This can take between 20 and 60 seconds.
The result is a list of all the mail hops found in the mail
header. One mail hop consists of the information added by one mail server (SMTP
server) to the headers of the e-mail message. A message which is sent using mail
server A (from the ISP of the sender), received by the anti spam mail server B
(as defined in the MX record) and forwarded to the final mail server C (which
manages the mailboxes) should contain 3 mail hops.
Each mail hop contains a set of information. The amount of information, the
accuracy and the reliability of the information can vary greatly between the
mail hops. The Webtracer tries to retrieve as much information as possible from
each mail hop.
All internet resources found in the mail hop are displayed as a tree node. By clicking the [+] sign, the node is expanded and a set of tests is performed on the internet resource to find more information. This analysis is identical to the analysis performed in the “deep internet resource” analysis module. Let’s expand the sending mail server of the first mail hop from the example:
We can see background information on the e-mail address
bestdiscounttelephonerates.com (the node which is expanded).
Note that e-mail headers can easily be forged. Careful analysis of all
information available is necessary in a successful investigation !