As we know almost just doing data extraction & reporting, not forensics. Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device.

Gmail Yahoo Mail Forensic

With the introduction of technologies such as AJAX (Asynchronous JavaScript and XML), recovery of web-mail artifacts has become more difficult for the forensic examiner. Many web-mail artifacts, particularly the content of a message, are typically no longer stored in areas of the disk where examiners may be used to finding them. Instead, examiners must rely on items such as the paging file and hibernation file for recovery of web-mail artifacts. A system’s RAM is a potential source of web-mail related information as well; however, due to the fact that many forensic examiners do not become involved until after the machine in question has been powered down, this may not be an available option.

Recovering Emails 

An email is made up of various components that collaboratively help in its forensics. Email body, header and its fields, attachments, and its related properties assists in its analysis. The various levels of email forensics include collecting data in a readable form, which means Data Recovery. At initial stage, when the data to be investigated is converted into readable format, it simplifies rest of its forensics.

Data Recovery, although is a wide arena has become a line of requirement for investigators as it help in restoring and filtering emails without damage to its integrity. Tools that are available for email forensics do deploy algorithms for recovery so that all stages of eDiscovery are carried out successfully.

Some Techniques 

Don’t rely on single tool, it may give false positive. We Should analysis with different tools and resources. By combining traditional digital forensics with techniques from eDiscovery and information governance, investigators can:
• Incase E-mails : Quickly and simply identify suspicious patterns such as:
– Messages sent outside business hours
– Messages sent from corporate accounts to personal addresses, the media, or competing companies
– Messages containing encrypted zip files as attachments.
• Use IP address geo-positioning, mobile phone call records, and GPS data embedded in photos to plot locations on a map.
• Reconstruct email conversations, text messages, and online chats from multiple sources so an investigator can read them in the order sent between individuals.
• Apply skin-tone analysis to quickly identify inappropriate images and trace their origin.
• Identify duplicate and near-duplicate documents , investigators can act on them more intelligently, either setting them aside or targeting them for deeper analysis.
• Identify relevant evidence in unallocated clusters by connecting recovered data to similar content in allocated files.
• Combine near-duplicate and word context analysis to quickly identify and eliminate large quantities of irrelevant data.

Some Snapshot





As the use of electronic documents as evidence in legal proceedings is becoming more and more popular, so is email forgery, electronic document date forgery and other electronic fraud. However, electronic documents usually contain numerous metadata fields, rendering most forgery attempts discoverable. Email transport headers and other metadata such as the Conversation Index, Sent Time and Delivery Time Microsoft Outlook Messaging API (MAPI) Properties are just a few of the numerous metadata fields computer forensics experts can use during email forgery analysis.

Some resources :

Techniques And Tools For Forensic Investigation Of E-Mail

A Comparative Study of Email Forensic Tools

Email forensic tools: A roadmap to email header analysis through a cybercrime use case



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s