Header analysis

Header analysis

A crucial step in the forensic analysis of email is examining the email header. It contains information about the message not directly displayed in the body, such as sender and recipient details, timestamp, and the route the message took before reaching its final destination.

In Gmail, Outlook, Yahoo and similar webmail interfaces, the headers can be viewed by selecting “Show original”, “View message source” or a similar option. This usually opens a new tab displaying the email header and text.

Though not all headers are present in every email, typical data found in the email header include:

  • From: Indicates the sender's name and address. In some cases, the address may be false or altered to conceal the sender's identity, making this field mandatory for analysis.
  • To: Specifies the name and address of the recipient, crucial for forensic analysis to indicate who the intended recipient is.
  • CC and BCC: These fields list others who received copies of the message. CC (Carbon Copy) refers to the public field, while BCC (Blind Carbon Copy) is a hidden field not visible to other recipients (and thus a BCC header is only present in the copy received by that recipient).
  • Date and Time: Contains the moment the message was sent, valuable in cases where timestamps serve as evidence in an investigation.
  • X-Mailer: Reveals the programs or platforms used to send the message and can provide information about the type of device used for sending.
  • Received: Lists all servers the message passed through on its journey from sender to recipient. This information can be significant for forensic analysis, aiding in the identification of sender and recipient locations, as well as identifying servers involved in sending or receiving the message – a field that is mandatory for analysis.
  • DKIM-Signature header: DomainKeys Identified Mail (DKIM) is a significant security standard using asymmetric encryption to ensure the email's legitimacy. It employs two sets of keys: a public key accessible to anyone receiving an email and a private key on the sender's mail server. The private key is used for encryption and the public key is for decryption.
  • Message-ID: This field contains a unique identifier for the message, useful in identifying the message at any stage of an investigation.