Email Investigations and Digital Forensics

Email is the most utilized form of communication for businesses and individuals nowadays, and it is often exposed to illegitimate uses. If you are a forensic investigator, you are probably need to be able to determine if an email has or has not been falsified. This article will explore a few basic methods on how to gather and analyze data related to an email investigation and forensic analysis.

Email Headers and MAPI properties

The first steps in any email investigation are to identify all the potential sources of information. Email messages contain numerous metadata fields (MAPI properties) that can be useful for digital forensic analysis of emails.

Convert .pst to .eml files

There are a few MAPI properties that are frequently extracted by computer forensics and e-Discovery software:

Email Date and Time

At the time a sender submits an e-mail, it gets stamped with the date and time in the PR_CLIENT_SUBMIT_TIME property. When that e-mail reaches the recipient’s mailbox, Outlook/Exchange stamps the PR_MESSAGE_DELIVERY_TIME and PR_CREATION_TIME properties. If the e-mail remains unaltered, the PR_LAST_MODIFICATION_TIME will match the PR_CREATION_TIME property. Obviously if these two properties do not match, it means the e-mail was modified by the user as no other process will update this property.

Convert .pst to .eml files

Email Body

Email can be sent in several formats the most common being plain text, RTF and HTML. Both RTF and HTML formats use formatting codes. Using these formatting codes we did a low-level analysis of the body text.

Convert .pst to .eml files

Conversation Index

The email conversation index property indicates the relative position of a message within a conversation thread and is typically populated by the e-mail client for each outgoing message. Information extracted from the Conversation index property can help answer key questions such as:

  • Is the message in question a new message, or was it created by replying to or forwarding another message?
  • If the message is part of an e-mail thread, when was the thread started?
  • When were other messages in the e-mail thread created?

Hidden Inbox Rules and Alerts

The hidden rules may contains a sensitive information, but are no longer visible in Outlook. Since Outlook 2010, rules are stored on a per mailbox basis. If user has configured multiple mailboxes in Outlook, you’ll need to review the rules for each mailbox.

Convert .pst to .eml files

Conclusion

Combined with additional evidence from the email server or internal email metadata, the information contained in the email MAPI properties can be very helpful in the forensic analysis of emails.

Related Topics

Recover Outlook Rules and Alerts

Find hidden Outlook rules and alerts using MAPI properties. Export Outlook rules and alerts to rwz files. Import rules and alerts into Outlook. Supports corrupted, damaged, orphan, protected pst and ost files.

Recover deleted folder and emails in Outlook

Accidentally and permanently deleted folder in Outlook? Recover deleted folder (and all its emails, messages, contacts) in Outlook with PST Walker recovery tool. Supports both PST file recovery and OST file recovery.

Search multiple .pst and .ost files without Outlook

Boolean search, Excel-like filtering, instant search. Supports any .pst and .ost files: corrupted, orpah, archive, password protected and encrypted files. Export search results to numerous formats. MAPI properties explorer.