As we know almost just doing data extraction & reporting, not forensics. Digital forensics is a branch of forensic science focusing on the recovery and investigation of raw data residing in electronic or digital devices. The goal of the process is to extract and recover any information from a digital device without altering the data present on the device.

Gmail Yahoo Mail Forensic

With the introduction of technologies such as AJAX (Asynchronous JavaScript and XML), recovery of webmail artifacts has become more difficult for the forensic examiner. Many webmail artifacts, particularly the content of a message, are typically no longer stored in areas of the disk where examiners may be used to finding them. Instead, examiners must rely on items such as the paging file and hibernation file for recovery of webmail artifacts. A system’s RAM is a potential source of webmail related information as well; however, due to the fact that many forensic examiners do not become involved until after the machine in question has been powered down, this may not be an available option.


Recovering Emails 

An email is made up of various components that collaboratively help in its forensics. Email body, header and its fields, attachments, and its related properties assist in its analysis. The various levels of email forensics include collecting data in a readable form, which means Data Recovery. At the initial stage, when the data to be investigated is converted into a readable format, it simplifies rest of its forensics.

Data Recovery, although is a wide area has become a line of the requirement for investigators as it helps in restoring and filtering emails without damage to its integrity. Tools that are available for email forensics do deploy algorithms for recovery so that all stages of e-discovery are carried out successfully.

Some Techniques 

Don’t rely on single tool, it may give false positive. We Should analysis with different tools and resources. By combining traditional digital forensics with techniques from e-discovery and information governance, investigators can:
• Incase E-mails: Quickly and simply identify suspicious patterns such as:
– Messages sent outside of business hours
– Messages sent from corporate accounts to personal addresses, the media, or competing companies
– Messages containing encrypted zip files as attachments.
• Use IP address geo-positioning, mobile phone call records, and GPS data embedded in photos to plot locations on a map.
• Reconstruct email conversations, text messages, and online chats from multiple sources so an investigator can read them in the order sent between individuals.
• Apply skin-tone analysis to quickly identify inappropriate images and trace their origin.
• Identify duplicate and near-duplicate documents, investigators can act on them more intelligently, either setting them aside or targeting them for deeper analysis.
• Identify relevant evidence in unallocated clusters by connecting recovered data to similar content in allocated files.
• Combine near-duplicate and word context analysis to quickly identify and eliminate large quantities of irrelevant data.

Some Snapshot





As the use of electronic documents as evidence in legal proceedings is becoming more and more popular, so is email forgery, electronic document data forgery, and other electronic fraud. However, electronic documents usually contain numerous metadata fields, rendering most forgery attempts discoverable. Email transport headers and other metadata such as the Conversation Index, Sent Time and Delivery Time Microsoft Outlook Messaging API (MAPI) Properties are just a few of the numerous metadata fields computer forensics experts can use during email forgery analysis.

Some resources :

  1. Techniques And Tools For Forensic Investigation Of E-Mail
  2. A Comparative Study of Email Forensic Tools
  3. Email forensic tools: A roadmap to email header analysis through a cyber crime use case
  4. Email-header analysis
  5. Journal on Email forensic tools: A roadmap to email header analysis through a cyber crime use case
  6. Forensic Email Search
  7. Forensic Email Search by GBHacker

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s